Re: olcTLSVerifyClient: demand not taking effect

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, March 13, 2012 11:03 AM -0700 Peter Wood 
<peterwood.sd@gmail.com> wrote:

> On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com>
> wrote:
>
>
> --On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
> <peterwood.sd@gmail.com> wrote:
>
>
> Hi,
>
>
> I setup openldap-2.4.23 server
>
>
> Why? ÂI'd suggest you start with the current release, 2.4.30. ÂYou may
> also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197>
>
>
>
>
>
> That's the openldap version in centos6.2 repo. In production I try to
> stick with stock versions.
>
>
> Also I tried all variations ofÂolcTLSVerifyClient: [demand|hard|true]
> with the same result.
>
>
> I don't think StartTLS is enabled. I'm wondering if just
> settingÂolcTLSCACertificateFile,ÂolcTLSCertificateFile
> andÂolcTLSCertificateKeyFile is enough to get StartTLS enabled.
>
>
> It's very frustrating. I'd hate to go to ldaps just because I can't get
> StartTLS working.
>
>
> Is there anything else I have to set on the server to get StartTLS
> working?

How are you testing to see if it or is not working?  Just run ldapsearch -x 
-ZZ -H ldap://<hostname>

to force startTLS

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration