7:24 a.m.
Dave wrote:
When you say client i'm assuming your refering
to the ldap client,
Yes.
configuration file /usr/local/etc/openldap/ldap.conf,
Concerning what the server slapd requires to come from the client is
configured in the server's configuration.
Michael Ströder wrote:
> See man 5 slapd.conf for learning about what option TLSVerifyClient
> means.
You should take my advice more literally. I'm not inventing comments
just for fun. Please first check TLSVerifyClient in your slapd.conf.
Ciao, Michael.
10:02 a.m.
New subject: openldap and tls
Hello,
Thanks for your reply. I created a client certificate and key and on the
client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I ensured
the key permissions are world readable and tried another ldapsearch. I am
getting the same error, can not connect. On the server if i switch
TLSVerifyClient from demand to never it works fine. I'd like to have both
the client and server verify each other, or is there a better way of doing
this?
Thanks.
Dave.
----- Original Message -----
From: "Michael Ströder" <michael(a)stroeder.com>
To: <openldap-software(a)openldap.org>
Sent: Thursday, February 14, 2008 10:24 AM
Subject: Re: openldap and tls
Dave wrote:
> When you say client i'm assuming your refering to the ldap client,
Yes.
> configuration file /usr/local/etc/openldap/ldap.conf,
Concerning what the server slapd requires to come from the client is
configured in the server's configuration.
>Michael Ströder wrote:
>> See man 5 slapd.conf for learning about what option TLSVerifyClient
>> means.
You should take my advice more literally. I'm not inventing comments just
for fun. Please first check TLSVerifyClient in your slapd.conf.
Ciao, Michael.
10:30 a.m.
New subject: openldap and tls
Dave wrote:
Hello,
Thanks for your reply. I created a client certificate and key and on the
client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I ensured
the key permissions are world readable and tried another ldapsearch. I am
getting the same error, can not connect. On the server if i switch
TLSVerifyClient from demand to never it works fine. I'd like to have both
the client and server verify each other, or is there a better way of doing
this?
TLS Private Keys are meant to be just that - private. Never make them
world-readable.
As documented
http://www.openldap.org/software/man.cgi?query=ldap.conf&sektion=5&am...
TLS_CERT/TLS_KEY are user-only options. You cannot configure them globally.
Nor would it make any sense to do so - if anybody can copy them arbitrarily to
another machine, then your whole point of verifying the client's identity is
defeated.
Thanks.
Dave.
----- Original Message -----
From: "Michael Ströder"<michael(a)stroeder.com>
To:<openldap-software@openldap.org>
Sent: Thursday, February 14, 2008 10:24 AM
Subject: Re: openldap and tls
> Dave wrote:
>> When you say client i'm assuming your refering to the ldap client,
> Yes.
>
>> configuration file /usr/local/etc/openldap/ldap.conf,
> Concerning what the server slapd requires to come from the client is
> configured in the server's configuration.
>
>> Michael Ströder wrote:
>>> See man 5 slapd.conf for learning about what option TLSVerifyClient
>>> means.
> You should take my advice more literally. I'm not inventing comments just
> for fun. Please first check TLSVerifyClient in your slapd.conf.
>
> Ciao, Michael.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:36 p.m.
New subject: openldap and tls
Howard is right, the reason it can not be global is if it were global,
then it would have to be world readable (so all users of the
ldapsearch tool could read the cert) and thus you could copy it to
your desktop and subvert the client to host security.
If it's in your homedir (.ldaprc) then you can control access.
(of course there are some obscure ways of going around this with suid
and such but that is not really very secure)
Sellers
On Feb 14, 2008, at 1:30 PM, Howard Chu wrote:
Dave wrote:
> Hello,
> Thanks for your reply. I created a client certificate and key
> and on the
> client machine added TLS_CACERT, TLS_CERT, and TLS_KEY options. I
> ensured
> the key permissions are world readable and tried another
> ldapsearch. I am
> getting the same error, can not connect. On the server if i switch
> TLSVerifyClient from demand to never it works fine. I'd like to
> have both
> the client and server verify each other, or is there a better way
> of doing
> this?
TLS Private Keys are meant to be just that - private. Never make
them world-readable.
As documented
http://www.openldap.org/software/man.cgi?query=ldap.conf&sektion=5&am...
TLS_CERT/TLS_KEY are user-only options. You cannot configure them
globally. Nor would it make any sense to do so - if anybody can copy
them arbitrarily to another machine, then your whole point of
verifying the client's identity is defeated.
> Thanks.
> Dave.
>
>
>
> ----- Original Message -----
> From: "Michael Ströder"<michael(a)stroeder.com>
> To:<openldap-software@openldap.org>
> Sent: Thursday, February 14, 2008 10:24 AM
> Subject: Re: openldap and tls
>
>
>> Dave wrote:
>>> When you say client i'm assuming your refering to the ldap client,
>> Yes.
>>
>>> configuration file /usr/local/etc/openldap/ldap.conf,
>> Concerning what the server slapd requires to come from the client is
>> configured in the server's configuration.
>>
>>> Michael Ströder wrote:
>>>> See man 5 slapd.conf for learning about what option
>>>> TLSVerifyClient
>>>> means.
>> You should take my advice more literally. I'm not inventing
>> comments just
>> for fun. Please first check TLSVerifyClient in your slapd.conf.
>>
>> Ciao, Michael.
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
______________________________________________
Chris G. Sellers | NITLE - Technology Team
734.661.2318 | chris.sellers(a)nitle.org
AIM: imthewherd | GoogleTalk: cgseller(a)gmail.com
5214
days inactive
5214
days old
openldap-software@openldap.org
3 comments
4 participants
participants (4)
-
Chris G. Sellers -
Dave -
Howard Chu -
Michael Ströder