On Tue, Mar 13, 2012 at 11:30 AM, Rich Megginson
<rich.megginson@gmail.com> wrote:
On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah
Gibson-Mount
<quanah@zimbra.com>
wrote:
--On Monday, March 12, 2012 6:52 PM -0700
Peter Wood <
peterwood.sd@gmail.com>
wrote:
Hi,
I setup openldap-2.4.23 server
That's the openldap version in centos6.2 repo. In
production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient:
[demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm
wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile
is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to
ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the
server to get StartTLS working?
Can you provide the exact command line you are using to test the
server connection? Note that if the client is using regular LDAP
and not LDAPS nor LDAP+startTLS, the
olcTLSVerifyClient:
demand setting does nothing.
This is exactly what I'm seeing. I misunderstood the documentation. I thought that when olcTLSVerifyClient is set to demand then a valid certificate is required and the connection will drop if one is not provided.
If you are trying to make the client always use SASL/EXTERNAL auth
with a valid client cert, you must first force the server to
reject any non-TLS/SSL connection using the sasl-secprops minssf
setting.
Yes. I'd like the server to reject any non-TLS/SSL connections. I'll look into the settings you mentioned.
As I was typing this I received a few more answers. Thank you very much.
Last question:
in openldap the DSE is "dc=hr,dc=mydomain,dc=com".
Will that work or the DSE has to match the domain name i.e. "dc=mydomain,dc=com"?
Thank you
Peter