Re: OpenLDAP client TLS configuration

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:42 AM 9/22/2006, Dan O'Reilly wrote:
>That indicates that client certificates are optional, only required to validate using SASL (which I'm not trying to do), so I don't think I need one (is that correct?).  Additionally, am I correct in my interpretation that I need both a trusted root certificate from the CA plus a server certificate? 

You need to configure the client with sufficient information
so that it can 'verify' the server certificate, namely the
CA certificate which signed the server certificate. 

12.2.2.1. TLS_CACERT <filename>

This is equivalent to the server's TLSCACertificateFile option.
As noted in the TLS Configuration section, a client typically
may need to know about more CAs than a server, but otherwise
the same considerations apply.

12.2.1.1. TLSCACertificateFile <filename>

This directive specifies the PEM-format file containing
certificates for the CA's that slapd will trust. The
certificate for the CA that signed the server certificate
must be included among these certificates. If the signing CA
was not a top-level (root) CA, certificates for the entire
sequence of CA's from the signing CA to the top-level CA
should be present. Multiple certificates are simply appended
to the file; the order is not significant.