On 03/26/12 17:38 +0200, Olivier wrote:
Hello, is there any way to bind an ldap server using user certificates rather than user/password ? I have experimented that using "bindmethod=sasl" and "saslmech=external" "tls_cacert=CAFILE" and "tls_cert=PROXYUSERFILE" in olcSyncRepl section, but I would like to also be able to bind ldap with a personnal certificate rather than with a "user/passwd" when using ldapsearch for example. How should I configure my "ldap.conf" and call "ldapsearch" to bind as such ?
Add to your ~/.ldaprc: SASL_MECH EXTERNAL TLS_CERT <filename> TLS_KEY <key> TLS_REQCERT <level> and in your global ldap.conf (or ~/.ldaprc), configure TLS_CACERT and other appropriate defaults. Also configure TLSVerifyClient/olcTLSVerifyClient on the server. See ldap.conf(5) and slapd-config(5) for details. -- Dan White