RE: Client - Server Authentication Using Certificates

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Igor Brezac

> > So my second questions is what do I need to add to the
> configuration to
> > enable this to be done. I have append the relevant lines from the
> > configuration files to the end of this mail.

> > ldap.conf
> >
> > TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
> > TLS_CERT /etc/grid-security/hostcert.pem
> > TLS_KEY /etc/grid-security/hostkey.pem
> >
> >
> > slapd.conf
> >
> > TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
> > TLSCertificateFile /etc/grid-security/hostcert.pem
> > TLSCertificateKeyFile /etc/grid-security/hostkey.pem
> > TLSVerifyClient demand
>
> This will not work unless the hostcert.pem subject is a valid DN.  You
> probably need to generate a separate client cert (for ldap.conf).

You cannot specify user certificates in ldap.conf. This is clearly stated in
both the Admin Guide and the manpages. User certificate configuration must be
done in the user's .ldaprc file.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support