Tony Earnshaw wrote:
Antonio Camacho wrote, on 10. apr 2007 17:20:
> My slapd.conf configuration:
> TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
> TLSCertificateFile /etc/openldap/cacerts/master.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
Don't use this:
> TLSVerifyClient demand
If he's trying to use certificate-based authentication, then he needs
> My ldap.conf configuration:
> SIZELIMIT 0
> TIMELIMIT 0
> TLS_CACERT /etc/openldap/cacerts/cacert.pem
Don't use these:
> TLS_CERT /etc/openldap/cacerts/master.pem
> TLS_KEY /etc/openldap/cacerts/master-key.pem
Those two are ignored in ldap.conf anyway.
> TLS_REQCERT demand
This is the default for a client, and in most cases it ought to remain
with that setting.
> My .ldaprc configuration:
~/.ldaprc is redundant; scrap it.
No. If he is trying to use certificate-based authentication, then the
TLS_CERT and TLS_KEY directives belong in the ~/.ldaprc.
Since he didn't actually state whether he is trying to use cert-based
authentication or not, and nobody has actually asked that question yet,
you're offering advice without any factual basis for your suggestions.
Find out what the real problem is before offering advice. Find out what
the real goal is first.
From the information provided so far, all that's certain is that he has
a TLS certificate that is intended for use as a web server
authentication certificate. The fact that he's trying to use it in both
the server and the client configuration is the problem; the TLS library
checks the certificate purpose. The client sent a server cert to the
server, and the server won't allow it to be used for client authentication.
So, if the goal is to use certificate-based authentication, then the
solution is to generate a proper certificate without any usage
restrictions on it, or one that says it can be used for client
If the goal isn't to use certificate-based authentication, then some of
your advice is correct. But you don't know enough at this point to say
for certain. Ask for clarification before offering advice.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/