Hello,
Sorry if my question seem to be simple but I've read the ldap.conf manpage and I would like to clarify what I understood
ldap.conf is the configuration file read by the ldap client.
TLS_REQCERT never
means that the client doesn't ask the server for a certificate. Therefore the server will not sent its certificate. Even for LDAPS (LDAP over SSL)
TLS_CACERT
/usr/local/ssl/certs/AD_CA_CERT.pem
it's the ca cert, if the ldap server sends a certificate, it has to be signed or at least validated by this CA cert. Even for LDAPS (LDAP over SSL)
TLS_CACERTDIR
This directory will be parsed for CA certs. If one of the CA cert validates the certificate sent by the LDAP server, the LDAP connexion can happen
. Even for LDAPS (LDAP over SSL)
I have a few questions though
1) The statements TLS_CACERT and TLS_CACERTDIR seem to be a bit redundant. Why use the
TLS_CACERT statement, we can have multiple CA cert right ?
2) I read that some people tell to have both "TLS_REQCERT never" and "TLS_CACERTDIR" or
"TLS_CACERT". Why would you specify a CA cert if our client doesn't request and certificate from the LDAP server ?
3) I will use "TLS_CACERT" and "TLS_KEY" on my client, if I want my client to be authenticated by the LDAP server
4) All these statements are also valid for LDAP over SSL. Correct ?
Thank you for your answers