[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Setting certificate file for client

The TLS_CERT and TLS_KEY options are user-only, they cannot be set on a
system-wide basis.
It somewhat defeats the purpose of a secure authentication system if you
configure it such that any user on the machine can use the cert and private
key. If you really insist on taking this approach, you can patch
libldap/init.c and turn off the "useronly" flag for TLS_CERT and TLS_KEY in
the ol_attribute array and reinstall libldap.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Simone
> Piccardi
> Sent: Monday, August 19, 2002 10:29 AM
> To: openldap-software@OpenLDAP.org
> Subject: Setting certificate file for client
> I'm getting some trouble using LDAP over TLS/SSL. I'm using
> openldap-2.0.23.
> The problem is that I can authenticate the server from the clients but
> not the vice-versa. I would like to autenticate the clients, so I put:
> TLSVerifyClient         1
> (tried using hard, or demand, instead of 1, but this is the only way it
> worked). This way I can authenticate only if I have something like:
> TLS_CACERT      /etc/ssl/certs/cacert.pem
> TLS_CERT        /etc/ssl/certs/newcert.pem
> TLS_KEY         /etc/ssl/certs/newkey.pem
> in .ldaprc, sending the client certificate. The problem seems that there
> is no way to set things system-wide and then I cannot autheticate when
> using libnss-ldap.
> There is any vay I can set a client certificate to system-wide use? I
> tried to put the same lines inside ldap.conf, but no results.
> Thanks anyway
> Simone