Stephen Ingram wrote: > On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Stephen Ingram wrote: > > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > I have one client using a certificate issued by a third party > > provider such that any secure (TLS) LDAP queries are refused since > > the certificates were not issued by IPA. Since there are only > a few > > clients with foreign certificates, can the CA simply be added > to the > > NSS database used by the 389 directory server so IPA will > establish > > a secure connection with them? > > > > > > I should have added, "or do I have to somehow add the certificate > to the > > IPA directory?" > > Need a little more context here. IPA doesn't use SSL client > authentication so it shouldn't be an issue. Can you provide more details > on what the client side is doing and what errors you are seeing? > > > Thanks Rob. I imported the CA into both the httpd and ldap NSS databases > and it works. Interestingly, I'm currently using version 3.0 of IPA > which still has the split directories. The CA imported properly into the > main IPA directory, but would not import into the PKI directory without > errors on restart. As I only really needed it in the main directory, I'm > OK for now, however, I'm wondering if this will be a problem when we > move to version 3.3 and the two directories are combined.
I'd need to see the errors you were getting. I don't see why the existence of a trusted CA cert would cause a service to not start. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
