[Date Prev][Date Next] [Chronological] [Thread] [Top]

tls_checkpeer directive

I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:

I believe I have TLS encryption working but I'd like to be able to verify my client connections.

On my LDAP server I have the following in slapd.conf

TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem
TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem

On the client I have the following in /etc/ldap.conf

uri ldaps://
ssl on
tls_cacertfile /etc/openldap/cacerts/slapdcert.pem
tls_checkpeer no

On the client /etc/openldap/ldap.conf

URI ldaps://
TLS_CACERT /etc/openldap/cacerts/slapdcert.pem

These commands work both from the client and server.

openssl s_client -connect servername:636 -showcerts

ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W

So my first question would be does this guarantee encrypted sessions?
Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients?