[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Different TLSVerifyClient possible?






For clarification, /etc/ldap.conf is the LDAP PAM configuration file.
User-only TLS directives do not belong in the OpenLDAP client ldap.conf
file.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                              
                      Martin Lesser                                                                                           
                      <admin-openldap@better-co        To:       openldap-software@OpenLDAP.org                               
                      m.de>                            cc:                                                                    
                      Sent by:                         Subject:  Re: Different TLSVerifyClient possible?                      
                      owner-openldap-software@O                                                                               
                      penLDAP.org                                                                                             
                                                                                                                              
                                                                                                                              
                      08/12/2003 12:39 PM                                                                                     
                                                                                                                              
                                                                                                                              




Martin Lesser <admin-openldap@better-com.de> writes:

> For the slapd running on 127.0.0.1 I want to reduce TLSVerifyClient to
> never so only the slapd serving the external adress strictly depends on
> a valid client-cert. Otherwise I had to generate a client-cert for each
> local service which uses ldap.

... without pam_ldap

One solution which works is to add TLS_KEY and TLS_CERT to
/etc/ldap.conf so local services querying the slapd can use the certs
defined in ldap.conf if they also use pam_ldap.

But that's IMO suboptimal.

Martin