I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I believe I have TLS encryption working but I'd like to be able to verify my client connections.
On my LDAP server I have the following in slapd.conf
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem
On the client I have the following in /etc/ldap.conf
uri ldaps://10.70.5.67/ ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no
On the client /etc/openldap/ldap.conf
URI ldaps://10.70.5.67/ TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand
These commands work both from the client and server.
openssl s_client -connect servername:636 -showcerts
ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W
So my first question would be does this guarantee encrypted sessions? Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients?
-Mike