Re: OpenLDAP/SSL and SSL Trust Chain?

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Jan 17, 2003 at 12:15:08AM +0000, Paul Reilly wrote:

> I presume if I get a globally recognised cert and have a Verisign or
> Thawte CA cert for the TLSCACertificateFile in ~/slapd.conf, then I can
> forget about having to install the server certificate on the clients (be
> they command line openldap or MacOSX directory services). Would that be
> correct?

That depends on whether the clients already have the relevant root CA
certificate in their trusted list. Most web browsers have a fairly
large list of root CAs, but by default the tools based on OpenSSL
(i.e. most free command-line tools) usually have an empty trust list.

There is also the question of what you want to achieve. If you want to
make sure that your LDAP clients only trust data from your own secured
servers then you should make sure that your certificate is the *only*
one that they will accept (if you just put in a public root cert then
anyoneone else who buys a cert from that provider can spoof your
clients). On the other hand, if you just want to have encrypted LDAP
then any certificate will do.

Remember that encryption does not imply security - it might be necessary,
but is not sufficient.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------