[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and tls

Dave wrote:
     Thanks for your reply. I created a client certificate and key and on the
client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I ensured
the key permissions are world readable and tried another ldapsearch. I am
getting the same error, can not connect. On the server if i switch
TLSVerifyClient from demand to never it works fine. I'd like to have both
the client and server verify each other, or is there a better way of doing

TLS Private Keys are meant to be just that - private. Never make them world-readable.

As documented

TLS_CERT/TLS_KEY are user-only options. You cannot configure them globally. Nor would it make any sense to do so - if anybody can copy them arbitrarily to another machine, then your whole point of verifying the client's identity is defeated.


----- Original Message -----
From: "Michael Ströder"<michael@stroeder.com>
Sent: Thursday, February 14, 2008 10:24 AM
Subject: Re: openldap and tls

Dave wrote:
When you say client i'm assuming your refering to the ldap client,

configuration file /usr/local/etc/openldap/ldap.conf,
Concerning what the server slapd requires to come from the client is
configured in the server's configuration.

Michael Ströder wrote:
See man 5 slapd.conf for learning about what option TLSVerifyClient
You should take my advice more literally. I'm not inventing comments just
for fun. Please first check TLSVerifyClient in your slapd.conf.

Ciao, Michael.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/