[Mageia-sysadm] ldap server certificate (was: Re: [Mageia-discuss] Fosdem report)

Michael Scherer misc at zarb.org
Wed Feb 15 10:32:35 CET 2012

Le mardi 14 février 2012 à 17:54 +0100, Romain d'Alverny a écrit :
> On Tue, Feb 14, 2012 at 17:35, Michael Scherer <misc at zarb.org> wrote:
> >> It looks like we are still using a self-signed certificate on the ldap
> >> server. So it's required to have "TLS_REQCERT allow" in /etc/openldap/ldap.conf
> >> to be able to connect to the ldap server.
> >>
> >> Should we also use the *.mageia.org certificate on the ldap server ?
> Wouldn't that make sense?

I fear that some tools would requires CA in a slightly different format
( like key in one file, signature in another one ).
For example, postgresql seems to need this ( since I had to write a
special class for this, see rev 530 and 531 on adm svn.
This can surely be worked around, but I am not sure if this would
preserve the certificate signature ( I am rather bad when it come to certificate, each time, 
I think I understood openssl, and in fact, i didn't )

> >> Or have our own CA with keys distributed by rpm packages in the
> >> distribution ?
> >
> > I would say "our own CA, but that's such a PITA :/
> Why?

Because openssl is weird :p

Michael Scherer

More information about the Mageia-sysadm mailing list