[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and TLS

I am a bit confused about how the whole setup works, perphaps someone can point me to how I can accomplish this task.

Basically, I want my ldap server to only accept queries using TLS, and only when the clients certificate is known.

I would have imagined that setting TLSVerifyClient to "demand" would have set this - but it still allows connections that don't use TLS (but, does reject requests from clients requiring TLS when (that clients) cert is not known.

 ldapsearch -x -h ldap.host -b 'dc=base,dc=level' '(cn=something)'

 gets results

 ldapsearch -ZZ -x -h ldap.host -b 'dc=base,dc=level' '(cn=something)'

 does not

Now, the behaviour that I want is neither of these to work as this client does not have a configured cert.

To re-iterate; the _only_ requests I want my LDAP server to answer is those coming from clients using TLS that have the certs known on the server.  How can this be done?

alan evetts