[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back-meta: dependency on ldap.conf
- To: OpenLDAP Technical Discussion <openldap-technical@openldap.org>
- Subject: back-meta: dependency on ldap.conf
- From: Liam Gretton <liam.gretton@leicester.ac.uk>
- Date: Thu, 19 Mar 2015 11:45:40 +0000
- Organization: IT Services, University Of Leicester
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
OpenLDAP 2.4.40, SLES x86_64.
This will seem crazy, but it looks to me that back-meta uses
/etc/openldap/ldap.conf for its TLS configuration instead of the
tls_options set explicitly within slapd.conf.
Within my meta configuration I have the following for idassert-bind:
idassert-bind bindmethod=simple
binddn="cn=user,dc=example,dc=com
credentials="password"
flags=prescriptive
tls_cacert=/etc/ssl/certs/ca.pem
tls_cacertdir=/etc/ssl/certs
tls_reqcert=demand
None of the TLS options seem to have any effect here at all (I can put
nonsensical values to the tls options here and slapd doesn't complain at
all).
Instead it's necessary to use /etc/openldap/ldap.conf for back-meta to
bind over SSL/TLS:
tls_cacert /etc/ssl/certs/ca.pem
tls_cacertdir /etc/ssl/certs
Any changes to ldap.conf get picked up by back-meta on a restart.
This can't be right, surely?
As an aside, I can't see why it's necessary to have to specify both
tls_cacert (pointing at the last CA in the chain) as well as
tls_cacertdir, but it is.
--
Liam Gretton liam.gretton@le.ac.uk
Systems Specialist http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom