--On Tuesday, June 3, 2025 7:24 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
I have a question:
olcTLSCRLFile is SINGLE-VALUE in OpenLDAP 2.5
You use a GnuTLS linked build of OpenLDAP? That seems unlikely? Also, it takes a *list*.
olcTLSCRLFile: <filename> Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked. This parameter is only valid when using GnuTLS.
If you're using OpenSSL linked OpenLDAP, then:
olcTLSCRLCheck: <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires olcTLSCACertificatePath parameter to be set. This parameter is ignored with GnuTLS. <level> can be specified as one of the following keywords:
none No CRL checks are performed
peer Check the CRL of the peer certificate
all Check the CRL for a whole certificate chain
Regards, Quanah