Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com mailto:quanah@zimbra.com> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <peterwood.sd@gmail.com <mailto:peterwood.sd@gmail.com>> wrote: Hi, I setup openldap-2.4.23 server Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at <http://www.openldap.org/its/__index.cgi/?findid=7197 <http://www.openldap.org/its/index.cgi/?findid=7197>>
That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.
It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.
Is there anything else I have to set on the server to get StartTLS working?
No. StartTLS is an LDAP Request, the client has to ask for it. There is nothing a server can do to initiate it.
The TLSVerifyClient setting only affects sessions where the client has already initiated TLS. To force connections to require TLS, look at the olcRequires and olcSecurity settings in slapd-config(5).