Hi
On 1/22/07, S Kalyanasundaram skalyanasundaram@novell.com wrote:
I am about to ask this one. I am googling for help to configure openldap with TLS. And my client program should use ldap_start_tls_s for connection but with no certificate. Any help is appreciated ,
From what I've been able to gather...
First, to establish a SSL/TLS connection, you must have a certificate, you can't do without one. Now you may very well not check the validity of the certificate. If you want your ldap client to no check the validity of the certificate, you use the following option in ldap.conf: TLS_REQCERT never the default is demand for the client The default for the openldap server is to NOT check the client certificate. You can change this behaviour with TLSVerifyClient in slapd.conf it's all explained there: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
To force a specific level of encryption you use the option in slapd.conf: security ssf=n update_ssf=n
Where n is the number of bits used in the encryption. ssf is for accessing the ldap (value of 0 is no protection at all), update_ssf is used for updating the database (add, delete, modify etc...) I found some explanation there: http://www.openldap.org/doc/admin23/security.html (stuff there needs to be checked , I found that many options aren't valid with my version of openldap 2.3.33
Jean-Yves