[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/SSL and SSL Trust Chain?

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: OpenLDAP/SSL and SSL Trust Chain?
From: Paul Reilly <pareilly@tcd.ie>
Date: Fri, 17 Jan 2003 11:42:14 +0000 (GMT)
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <20030117100559.GK31352@brick.skills-1st.co.uk>

Thanks for that Andrew.

> large list of root CAs, but by default the tools based on OpenSSL
> (i.e. most free command-line tools) usually have an empty trust list.

I see what you mean. I notice even when I have a test cert from Thawte
that the openldap command line clients still need to have TLS_CACERT
configured for them to work. I can only assume then it will be the
same for the ldap plugin in MacOSX diretcory services. I just need to
find out where to configure a CA cert in it!

> There is also the question of what you want to achieve. If you want to
> make sure that your LDAP clients only trust data from your own secured
> servers then you should make sure that your certificate is the *only*
> one that they will accept (if you just put in a public root cert then
> anyoneone else who buys a cert from that provider can spoof your
> clients). On the other hand, if you just want to have encrypted LDAP
> then any certificate will do.
>
But I can't use a self-signed certificate.... that made me think I must
get a globally signed cert.. and use their root CACERT ?!

Paul

Follow-Ups:
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

References:
- Re: OpenLDAP/SSL and SSL Trust Chain?
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: slapd does not start
Next by Date: communication between two(or more) different LDAP servers
Index(es):
- Chronological
- Thread