[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

On Friday 25 July 2008 01:13:37 John Oliver wrote:
> On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > Any client will need to know about the CA that signed your self-signed
> > cert.
> I created my certificate with:
> openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> /etc/openldap/ssl/ldap.pem -days 3650
> In slapd.conf I have:
> TLSCertificateFile /etc/ssl/ldap.pem
> TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> TLSCACertificateFile /etc/ssl/ldap.pem
> What do I need to do differently?

Configure the *client* ??? Look at the TLS_CACERT directive in the 
ldap.conf(5) man page, and the tls_cacertfile directive in the pam_ldap(5) and 
nss_ldap(5) man pages (if your pam_ldap/nss_ldap is new enough to have man 

Now, unless you've split the cert out separately, you're most likely going to 
be exposing the private key as well, which means there's pretty much no point 
to your encryption ....