On Friday 25 July 2008 17:16:12 John Oliver wrote:
On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
On Friday 25 July 2008 01:13:37 John Oliver wrote:
On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
Any client will need to know about the CA that signed your self-signed cert.
I created my certificate with:
openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 3650
In slapd.conf I have:
TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
What do I need to do differently?
Configure the *client* ???
The clients work perfectly with the working server. Why would they have to have a different configuration to talk to the backup LDAP server?
They don't necessarily need a different configuration, but it being valid for one server doesn't guarantee it will be valid for another server, especially when it comes to ssl, certificate validation etc.
At the moment, I'm far more interested in getting the second LDAP server working than I am in having perfect security.
Then it's easy, turn off SSL.
If you don't want to do that, turn of certificate validation. It's better than exposing keys.
Or, ensure that the "CA certificate" that the clients use contains the certificates of the issuer of both of the server certificates, and that the value of the subject CN on both certificates matches the name you use to connect to the servers.
Regards, Buchan