Re: openldap and tls

Dave wrote: > Hello, > Thanks for your reply. I created a client certificate and key > and on the > client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I > ensured > the key permissions are world readable and tried another > ldapsearch. I am > getting the same error, can not connect. On the server if i switch > TLSVerifyClient from demand to never it works fine. I'd like to > have both > the client and server verify each other, or is there a better way > of doing > this? TLS Private Keys are meant to be just that - private. Never make them world-readable. As documented http://www.openldap.org/software/man.cgi?query=ldap.conf&sektion=5&am... TLS_CERT/TLS_KEY are user-only options. You cannot configure them globally. Nor would it make any sense to do so - if anybody can copy them arbitrarily to another machine, then your whole point of verifying the client's identity is defeated. > Thanks. > Dave. > > > > ----- Original Message ----- > From: "Michael Ströder&quot;&lt;michael(a)stroeder.com&gt; > To:<openldap-software@openldap.org> > Sent: Thursday, February 14, 2008 10:24 AM > Subject: Re: openldap and tls > > >> Dave wrote: >>> When you say client i'm assuming your refering to the ldap client, >> Yes. >> >>> configuration file /usr/local/etc/openldap/ldap.conf, >> Concerning what the server slapd requires to come from the client is >> configured in the server's configuration. >> >>> Michael Ströder wrote: >>>> See man 5 slapd.conf for learning about what option >>>> TLSVerifyClient >>>> means. >> You should take my advice more literally. I'm not inventing >> comments just >> for fun. Please first check TLSVerifyClient in your slapd.conf. >> >> Ciao, Michael. > > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/