On 03/10/11 21:43 +0200, Andreas Rudat wrote:
Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
You'll need to create a (client) certificate and populate those two values, or otherwise find a way to specify them while performing your ldapsearch command.
I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS otherwise.
And again, you'll need to properly configure TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
So I added this to cn=config:
|*|add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*
I think, thats what you meant?
... and olcTLSVerifyClient.
When properly configured, your list of supportedSASLMechanisms should
include 'EXTERNAL'.
For reference, see the manpages for ldap.conf and slapd-config (or slapd.conf), and see the OpenLDAP Administrator's Guide.
I'd recommend depending a lot less on the howto you are reading, and a lot more on the above documentation.