[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: User certs checking

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of tsg

> hi all!
> 1. As I understood, openldap (v 2.1.12) when verifying user
> certificate,
> checks only CA, signed sertificate, but not the certificate
> itself and not
> the user dn in it. Is it true? How can make openldap check the user
> certificate and user DN?

The user certificate is checked. The DN in the certificate is extracted and
its syntax is checked. An invalid DN is rejected. Ordinarily, you cannot
create a cert with an invalid DN, so it's very rare for the DN to get

> 2. Does openldap works with CRLs?

OpenLDAP does nothing special for revocation lists. Whether or not OpenSSL
does anything with them automatically, I don't recall.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support