[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Different TLSVerifyClient possible?



Martin Lesser <admin-openldap@better-com.de> writes:

> For the slapd running on 127.0.0.1 I want to reduce TLSVerifyClient to
> never so only the slapd serving the external adress strictly depends on
> a valid client-cert. Otherwise I had to generate a client-cert for each
> local service which uses ldap.

... without pam_ldap

One solution which works is to add TLS_KEY and TLS_CERT to
/etc/ldap.conf so local services querying the slapd can use the certs
defined in ldap.conf if they also use pam_ldap.

But that's IMO suboptimal.

Martin