[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/SSL and SSL Trust Chain?

Thanks for that Andrew.

> large list of root CAs, but by default the tools based on OpenSSL
> (i.e. most free command-line tools) usually have an empty trust list.

I see what you mean. I notice even when I have a test cert from Thawte
that the openldap command line clients still need to have TLS_CACERT
configured for them to work. I can only assume then it will be the
same for the ldap plugin in MacOSX diretcory services. I just need to
find out where to configure a CA cert in it!

> There is also the question of what you want to achieve. If you want to
> make sure that your LDAP clients only trust data from your own secured
> servers then you should make sure that your certificate is the *only*
> one that they will accept (if you just put in a public root cert then
> anyoneone else who buys a cert from that provider can spoof your
> clients). On the other hand, if you just want to have encrypted LDAP
> then any certificate will do.
But I can't use a self-signed certificate.... that made me think I must
get a globally signed cert.. and use their root CACERT ?!