On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:
I have followed this link to generate self-signed certificates. I have successfully performed server side validation.
I assume that means that you have made an SSL or TLS connection to the server and done an LDAP operation, so this operation should succeed:
ldapwhoami -x -H ldap://my.server.com/ -ZZ
If it does not, you may need to specify the TLS_CACERT location in /etc/openldap/ldap.conf or temporarily provide the cert location in the environment:
LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ
Don't start trying to use any other clients until you have the command-line ones working properly.
What if i want to access LDAPS:/ / from other client. I have copied servercrt.pem and serverkey.pem file on client machine, also added servercrt.pem file to client trust store. I'm using
NO! Don't ever give clients the secret key.
Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you created two certificates: a master CA cert and a server-specific cert. You can use the CA cert to create as many server certs as you like, and client machines only need a copy of the CA cert to verify trust.
Andrew