is it necessary to specify both TLS_CACERT and TLS_CACERTDIR ?
or can the full path to ca cert be specified in TLS_CACERT? what does this mean? 16.2.2.1. TLS_CACERT <filename>
This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configurationhttps://www.openldap.org/doc/admin24/tls.html#TLS%20Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.
16.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
________________________________ From: Howard Chu hyc@symas.com Sent: Friday, October 2, 2020 10:27 PM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
Quanah Gibson-Mount wrote:
--On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain siddjain@live.com wrote:
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
This is not valid.
Either you:
(a) use ldap:// with -ZZ (startTLS)
OR
(b) use ldaps://
Both will result in a TLS secured connection if successful
But you absolutely CANNOT combine startTLS + ldaps://
Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/