[Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report)

nicolas vigier boklm at mars-attacks.org
Tue Feb 14 18:39:09 CET 2012

On Tue, 14 Feb 2012, Romain d'Alverny wrote:

> On Tue, Feb 14, 2012 at 17:35, Michael Scherer <misc at zarb.org> wrote:
> >> It looks like we are still using a self-signed certificate on the ldap
> >> server. So it's required to have "TLS_REQCERT allow" in /etc/openldap/ldap.conf
> >> to be able to connect to the ldap server.
> >>
> >> Should we also use the *.mageia.org certificate on the ldap server ?
> Wouldn't that make sense?

That would work, but some people can easily get any certificate signed
by official certificate authorities, so it's not very reliable, it's
only useful to remove warnings in web browsers. And we have a wildcard
certificate, so the same certificate is used on all mageia https
websites, and if one of the server is compromised then the key used by
the ldap server can be stolen.

More information about the Mageia-sysadm mailing list