manu@netbsd.org (Emmanuel Dreyfus) writes:
Hello
I would like to setup a ldaprc so that an application uses:
- a localhost-base slapd without authentification (just relying on
filesystem permission on the slapd socket)
- if it is not available, a remote slapd, authenticating using client
certificate
Here is the desired ldaprc: BASE dc=example,dc=net URI ldapi:/// ldaps://ldap.example.net TLS_CACERT /etc/openssl/ca.crt TLS_CERT /etc/openssl/host.crt TLS_KEY /etc/openssl/host.key SASL_MECH EXTERNAL TLS_REQCERT demand
Of course it will not work, as the ldapi:/// connection will present a certificate. I have the feeling the setup I am looking for cannot be configured. Is that right?
No, ldapi:/// doesn't present a certificate, but you may establish a startTLS session to ldapi:///, in this case the client requests a server certificate.
-Dieter