E.therepa wrote:
Dear Tech list,
I'd like to use CRL's to regulate client connections to my slapd server. So i've build working certs and keys with gnutls. The whole keysetup is tested and working properly, by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients in my revocation list.
In order to use this in slapd/ldap utils i use this settings,
slapd.conf, TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key TLSCRLFile /etc/ldap/ssl/crl.pem TLSCipherSuite SECURE256:-VERS-SSL3.0 TLSVerifyClient hard
ldap.conf # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
cert and key are invalid in a .conf file. Read the ldap.conf(5) manpage more carefully.
TLS_REQCERT hard
As far as i can see and found info my client and servers TLS settings are configured properly. What i really don't get is that the client doesnt send his certs to the server.