[Date Prev][Date Next]
Re: olcTLSVerifyClient: demand not taking effect
Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <firstname.lastname@example.org
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
<email@example.com <mailto:firstname.lastname@example.org>> wrote:
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You may
also want to look at <http://www.openldap.org/its/__index.cgi/?findid=7197
That's the openldap version in centos6.2 repo. In production I try to stick
with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is
enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get
Is there anything else I have to set on the server to get StartTLS working?
No. StartTLS is an LDAP Request, the client has to ask for it. There is
nothing a server can do to initiate it.
The TLSVerifyClient setting only affects sessions where the client has already
initiated TLS. To force connections to require TLS, look at the olcRequires
and olcSecurity settings in slapd-config(5).
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/