[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Different TLSVerifyClient possible?

For clarification, /etc/ldap.conf is the LDAP PAM configuration file.
User-only TLS directives do not belong in the OpenLDAP client ldap.conf

Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com

                      Martin Lesser                                                                                           
                      <admin-openldap@better-co        To:       openldap-software@OpenLDAP.org                               
                      m.de>                            cc:                                                                    
                      Sent by:                         Subject:  Re: Different TLSVerifyClient possible?                      
                      08/12/2003 12:39 PM                                                                                     

Martin Lesser <admin-openldap@better-com.de> writes:

> For the slapd running on I want to reduce TLSVerifyClient to
> never so only the slapd serving the external adress strictly depends on
> a valid client-cert. Otherwise I had to generate a client-cert for each
> local service which uses ldap.

... without pam_ldap

One solution which works is to add TLS_KEY and TLS_CERT to
/etc/ldap.conf so local services querying the slapd can use the certs
defined in ldap.conf if they also use pam_ldap.

But that's IMO suboptimal.