[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS Directives in slapd.conf

I have authentication working using TLS on my RH5 servers with openldap
2.3, but was looking for some clarification on the TLS directives in
slapd.conf.  Most of what I have seen and read states to generate the
key and cert (can be done a number of ways) and update the following

 # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

Which I have done using the "make ldap.pem" in the pki directory on the
Redhat server.  Both the key and the cert are in a singe file. The
directives now read:

TLSCACertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateFile /etc/pki/tls/certs/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.pem

I place the cert section in the client ldap.conf and all seems to work
fine. My question is, what is the function of  TLSCACertificateFile
directive.   I can comment out the directive and authentication still
works fine and appears to not have a effect on operation.  

Both TLSCertificateFile and TLSCertificateKeyFile seem to be required if
any one of the directives are used.  

The man page explanation says it "contains certificates for all of the
Certificate Authorities that slapd will recognize."  I'm not sure how
TLSCACertificateFile should be used, if at all.  Just trying to
understand how the directive should be implemented.