Re: slapd verifyclient fails on demand
E.therepa wrote:
Dear Tech list,
I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and
working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients
in my revocation list.
In order to use this in slapd/ldap utils i use this settings,
slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard
ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
cert and key are invalid in a .conf file. Read the ldap.conf(5) manpage
more carefully.
TLS_REQCERT hard
As far as i can see and found info my client and servers TLS settings
are configured properly.
What i really don't get is that the client doesnt send his certs to the server.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/