Oh, thanks for clearing up the confusion, then is there anyway to
prevent openldap from sending its server certificate as a client one
when connecting to the meta target? I mean other than changing the
TLSVerifyClient on the remote host as we don't have access to do this.
Quoting Howard Chu <hyc(a)symas.com>:
> Full_Name: Mohammad Nweider
> Version: master
> OS: Redhat Linux
> Submission from: (NULL) (188.8.131.52)
> We've found a small bug when trying to run openldap with meta
> backend, what we
> were trying to achieve is to have our server listens on ssl/tls port and to
> communicate with the meta targets over ssl/tls as well, but due to
> the fact that
> we're using a self-signed certificate and we don't have access to manage the
> meta targets, we wanted to skip the client certificate verification when
> connecting to the meta targets, so we tried adding idassert-bind
> tls_reqcert=never to our meta config for this purpose, but unfortunately it
> didn't work as expected.
There is no bug here. The tls_reqcert setting controls whether the
local node requires the remote target to provide a valid server
certificate. It has nothing to do with client certificates at all.
> Whenever openldap has a certificate/key either in
> TLSCertificateFile/TLSCertificateKeyFile or in idassert-bind
> settings, it completely ignores tls_reqcert in idassert-bd%d!
Because the reqcert setting has nothing to do with this.
Closing this ITS.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/