[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client cert validation

To: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
Subject: Re: openldap client cert validation
From: Ryan Tandy <ryan@nardis.ca>
Date: Sat, 6 Aug 2016 10:03:34 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=kfLOpGZNoW74c0Od9x94aEePEb/8Gfl7MN60dZozmf4=; b=Sja1/nw8dOy44fAbOzBm2XLn2zaaglpC9IxXEsokHSwS2xDdjiyEZrK99/EidkcwIL r2a2EX+p6tX940kb2wqp+wwWoGy5mJpxbN7JtuKrMLl3X5TlcRmkxfz7jajE9aHZ2nQ5 Ox+Z2f3+/Mkgv2D+6GMbX6Kbt6o/vxnc1Re48=
In-reply-to: <CAJs94EYodPWhscNhM35LM7ABOSmrLn7Pqit6ORangFX6eZqepQ@mail.gmail.com>
Mail-followup-to: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>, openldap-technical@openldap.org
References: <CAJs94EaLpfd5gH-Qgtde9Z_rsC6MX9ON5m2M0ptUcCEGcxK9Hg@mail.gmail.com> <CAJs94EYodPWhscNhM35LM7ABOSmrLn7Pqit6ORangFX6eZqepQ@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote:

After inspecting source code I've just found that TLS_KEY and TLS_CERT
are ignored if located in /etc/openldap/ldap.conf.
Why does it not written in man ldap.conf(5) explicitly?


It is.

      TLS_CERT <filename>
             Specifies the file that contains the client certificate.  This is a user-only option.

[...]

      TLS_KEY <filename>
             Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of  critical  importance  that
             the key file is protected carefully.  This is a user-only option.

"User-only" is defined at the top of the page:

	Some options are user-only.  Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).

Follow-Ups:
- Re: openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>

References:
- openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
- Re: openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>

Prev by Date: Re: openldap client cert validation
Next by Date: Re: openldap client cert validation
Index(es):
- Chronological
- Thread