Am 09.02.2017 um 22:32 schrieb Ralf Mattes:
Is this really the problem. I only use TLSCACertificateFile but still get all the
intermediate certificats as well as the top level (German Telekpm) cert.
Ah!
both, TLSCACertificateFile and TLSCACertificatePath contain the acceptable issuer certificates
for connections from a client /to/ slapd if TLSVerifyClient is not "none"
Just as Quanah pointed out some messages ago...
In any case the list of DNs is sent to the client as part of the SSL handshake.
If it happen that TLSCACertificateFile and/or TLSCACertificatePath
contain certificates related to the server certificate chain,
these are also sent at all to build this cert chain.
But even if TLSCertificateFile point to file containing cert + intermediate
OpenLDAP still only the cert is delivered to the client.
(if TLSCACertificateFile and TLSCACertificatePath are unset)
I'm confused because it's different then postfix for example.
There I configure "smtpd_tls_cert_file = $cert_and_intermediates"
Optional I may enable "smtpd_tls_ask_ccert = yes"
Then the SMTP-Server ask the client to present a client cert
I've to configure smtpd_tls_CAfile or smtpd_tls_CApath.
The difference between smtpd_tls_CAfile and smtpd_tls_CApath in postfix:
( see http://www.postfix.org/postconf.5.html#smtpd_tls_CApath )
"In contrast to smtpd_tls_CAfile, DNs of Certification Authorities
installed in $smtpd_tls_CApath are not included in the client
certificate request message."
And this is what you see, Ralf ...
OpenLDAP Allways send the list of DNs.
Hope that helps.
Andreas