Hi, i'm using openldap as a ldap proxy to an an other ldap server. I'd like to get a ldaps connexion between this 2 servers. so, i configured ldap.conf like this: TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem TLS_REQCERT demand My issue is that the ssl connexion still works if i comment the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem. and it should not because without this certificate authority my openldap proxy should not be able to check the certificate sent by the backend ldap. the only difference that i see without this line is in debug mode (slapd -d 1): TLS certificate verification: Error, self signed certificate in certificate chain but it works with this error.
so, do you have an idea to force the ssl connexion to fail if the certificate sent by the other ldap server is not signed by my certificate authority ? Thanks, Thomas
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem TLS_REQCERT demand My issue is that the ssl connexion still works if i comment the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem. and it should not because without this certificate authority my openldap
proxy should not be able to >check the certificate sent by the backend ldap.
TLS certificate verification: Error, self signed certificate in certificate
chain
but it works with this error.
You must have your root CA -> selfsigned after you create - CA and key for your LDAP server - CA anad key for client
both CA(client,server) you must sign by your CA root certificate
pozdr rafal
Small correction:
TLS_CACERT must be the certificate from a ROOT Certificate Authority or a Certificate Authority certification signed by a known parent CA. CA means "Certificate Authority". There can be multiple levels of Certificate authority.
Every certificate has an Issuer (Certificate Authority) which signed the certificate, and, a Subject whose public key and other data is signed by the CA. If the certificate has the correct attributes, then, it can be used to sign subordinate certificates.
A certificate which has the same issuer and subject is a ROOT certificate because there is no parent certificate.
You might want to check if there is also a TLS_CACERTDIR directive or similar which could still allow the client to locate the CA Certificate.
Owen
On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem TLS_REQCERT demand My issue is that the ssl connexion still works if i comment the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem. and it should not because without this certificate authority my openldap
proxy should not be able to >check the certificate sent by the backend ldap.
TLS certificate verification: Error, self signed certificate in certificate
chain
but it works with this error.
You must have your root CA -> selfsigned after you create
- CA and key for your LDAP server
- CA anad key for client
both CA(client,server) you must sign by your CA root certificate
pozdr rafal
openldap-software@openldap.org
-
jerrrry@voila.fr -
Owen DeLong -
Rafal (sxat)