[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and tls



Dave wrote:
Hello,
     Thanks for your reply. I created a client certificate and key and on the
client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I ensured
the key permissions are world readable and tried another ldapsearch. I am
getting the same error, can not connect. On the server if i switch
TLSVerifyClient from demand to never it works fine. I'd like to have both
the client and server verify each other, or is there a better way of doing
this?

TLS Private Keys are meant to be just that - private. Never make them world-readable.


As documented
http://www.openldap.org/software/man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release

TLS_CERT/TLS_KEY are user-only options. You cannot configure them globally. Nor would it make any sense to do so - if anybody can copy them arbitrarily to another machine, then your whole point of verifying the client's identity is defeated.

Thanks.
Dave.



----- Original Message -----
From: "Michael Ströder"<michael@stroeder.com>
To:<openldap-software@openldap.org>
Sent: Thursday, February 14, 2008 10:24 AM
Subject: Re: openldap and tls


Dave wrote:
When you say client i'm assuming your refering to the ldap client,
Yes.

configuration file /usr/local/etc/openldap/ldap.conf,
Concerning what the server slapd requires to come from the client is
configured in the server's configuration.

Michael Ströder wrote:
See man 5 slapd.conf for learning about what option TLSVerifyClient
means.
You should take my advice more literally. I'm not inventing comments just
for fun. Please first check TLSVerifyClient in your slapd.conf.

Ciao, Michael.




--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/