Thanks for your reply. I created a client certificate and key and on the
client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I ensured
the key permissions are world readable and tried another ldapsearch. I am
getting the same error, can not connect. On the server if i switch
TLSVerifyClient from demand to never it works fine. I'd like to have both
the client and server verify each other, or is there a better way of doing
TLS Private Keys are meant to be just that - private. Never make them
TLS_CERT/TLS_KEY are user-only options. You cannot configure them globally.
Nor would it make any sense to do so - if anybody can copy them arbitrarily to
another machine, then your whole point of verifying the client's identity is
----- Original Message -----
From: "Michael Ströder"<michael(a)stroeder.com>
Sent: Thursday, February 14, 2008 10:24 AM
Subject: Re: openldap and tls
> Dave wrote:
>> When you say client i'm assuming your refering to the ldap client,
>> configuration file /usr/local/etc/openldap/ldap.conf,
> Concerning what the server slapd requires to come from the client is
> configured in the server's configuration.
>> Michael Ströder wrote:
>>> See man 5 slapd.conf for learning about what option TLSVerifyClient
> You should take my advice more literally. I'm not inventing comments just
> for fun. Please first check TLSVerifyClient in your slapd.conf.
> Ciao, Michael.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/