Hello,
Sorry if my question seem to be simple but I've read the ldap.conf manpage and I would like to clarify what I understood
ldap.conf is the configuration file read by the ldap client.
TLS_REQCERT never means that the client doesn't ask the server for a certificate. Therefore the server will not sent its certificate. Even for LDAPS (LDAP over SSL)
TLS_CACERT /usr/local/ssl/certs/AD_CA_CERT.pem it's the ca cert, if the ldap server sends a certificate, it has to be signed or at least validated by this CA cert. Even for LDAPS (LDAP over SSL) TLS_CACERTDIR This directory will be parsed for CA certs. If one of the CA cert validates the certificate sent by the LDAP server, the LDAP connexion can happen. Even for LDAPS (LDAP over SSL)
I have a few questions though 1) The statements TLS_CACERT and TLS_CACERTDIR seem to be a bit redundant. Why use the TLS_CACERT statement, we can have multiple CA cert right ? 2) I read that some people tell to have both "TLS_REQCERT never" and "TLS_CACERTDIR" or "TLS_CACERT". Why would you specify a CA cert if our client doesn't request and certificate from the LDAP server ? 3) I will use "TLS_CACERT" and "TLS_KEY" on my client, if I want my client to be authenticated by the LDAP server 4) All these statements are also valid for LDAP over SSL. Correct ?
Thank you for your answers