Re: client (non) verification of server SSL certs

[Tony Earnshaw <tonni@billy.demon.nl>]

søn, 2002-10-20 kl. 19:12 skrev John Morris:

> How do I control this behavior to ensure the client verifies the
> servers certificates before continuing with the ldap query?

I'd say that you don't give anything like enough info for people to be
able to comment. Like what you have in slapd.conf and ldap.conf, as well
as CA certification details.

To check whether in fact CA verification is being carried out by the
client, you can:

1: do a tail -f on /var/log/slapd.at -d 256 level log for ldaps (SSL)
connects and see that succesful binds and queries are indeed being
carried out on port 636;

2: run slapd as daemon in debug mode at -d -1 level for ldap TLS on port
389 and watch the beginning of the crypt handshake in real time.

If you have neither 'ssl start_tls' or 'ssl on' in /etc/ldap.conf (you
can have both at once, if you want), nor an active tls_cacert file/dir
path in the same file, you can bet your last penny that are *not* using
either SSL or TLS for any LDAP client binds, including Openldap and GQ.

Best,

Tony

-- 

Tony Earnshaw

"There are many people who can't face the truth ... If you rob a
normal person of life's lies, at the same time you'll be robbing
him of his happiness."

>From Henrik Ibsen's "Vildanden", "The wild Duck."

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl