[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: why didn't ldap client validate ssl certificate?

Hi Lei,

What is the command line you are using with ldapsearch?

You need to specify -Z to start TLS and use certs.
From man ldapsearch:
-Z Issue  StartTLS  (Transport  Layer  Security)  extended  operation.  If you use -ZZ, the command will require the operation to be successful.

Give it a try.

On Wed, Oct 21, 2009 at 4:28 AM, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote:
leilei175@gmail.com writes:
> On the client side,I have set the TLS_REQCERT as demand.
> The TLS_CACERTDIR is also set, but I didn't put any certificate in the
> directory.
> To my surprise, even though no certificate is provided,
> ldapsearch could still succeed returning the data.
> Is this a bug?

Maybe the root certificate is installed with OpenSSL's default certs.

Those are used if and only if you specify TLS_CACERT - or TLS_CACERTDIR
I presume, but I haven't tested that.  See: