12:45 a.m.
Hi,
i'm using openldap as a ldap proxy to an an other ldap server.
I'd like to get a ldaps connexion between this 2 servers.
so, i configured ldap.conf like this:
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
TLS_REQCERT demand
My issue is that the ssl connexion still works if i comment the line with TLS_CACERT
/usr/local/etc/raddb/RTFE/conca.pem.
and it should not because without this certificate authority my openldap proxy should not
be able to check the certificate sent by the backend ldap.
the only difference that i see without this line is in debug mode (slapd -d 1):
TLS certificate verification: Error, self signed certificate in certificate chain
but it works with this error.
so, do you have an idea to force the ssl connexion to fail if the certificate sent by the
other ldap server is not signed by my certificate authority ?
Thanks,
Thomas
5:32 a.m.
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
TLS_REQCERT demand
My issue is that the ssl connexion still works if i comment the line with
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
and it should not because without this certificate authority my openldap
proxy
should not be able to >check the certificate sent by the backend ldap.
TLS certificate verification: Error, self signed certificate in
certificate
chain
but it works with this error.
You must have your root CA -> selfsigned after you create
- CA and key for your LDAP server
- CA anad key for client
both CA(client,server) you must sign by your CA root certificate
pozdr
rafal
9:05 a.m.
Small correction:
TLS_CACERT must be the certificate from a ROOT Certificate Authority or
a Certificate Authority certification signed by a known parent CA. CA
means "Certificate Authority". There can be multiple levels of
Certificate
authority.
Every certificate has an Issuer (Certificate Authority) which signed the
certificate, and, a Subject whose public key and other data is signed
by the CA. If the certificate has the correct attributes, then, it
can be
used to sign subordinate certificates.
A certificate which has the same issuer and subject is a ROOT
certificate
because there is no parent certificate.
You might want to check if there is also a TLS_CACERTDIR directive
or similar which could still allow the client to locate the CA
Certificate.
Owen
On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
> TLS_REQCERT demand
> My issue is that the ssl connexion still works if i comment the
> line with
> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
> and it should not because without this certificate authority my
> openldap
proxy should not be able to >check the certificate sent by the
backend ldap.
> TLS certificate verification: Error, self signed certificate in
> certificate
chain
> but it works with this error.
You must have your root CA -> selfsigned after you create
- CA and key for your LDAP server
- CA anad key for client
both CA(client,server) you must sign by your CA root certificate
pozdr
rafal
5410
days inactive
5411
days old
openldap-software@openldap.org
2 comments
3 participants
participants (3)
-
jerrrry@voila.fr -
Owen DeLong -
Rafal (sxat)