Philip,
Thank you for your answer.
Have a good week end

De : Philip Guenther <guenther+ldaptech@sendmail.com>
À : Mik J <mikydevel@yahoo.fr>
Cc : "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Envoyé le : Vendredi 15 mars 2013 20h15
Objet : Re: ldap.conf clarification

On Fri, 15 Mar 2013, Mik J wrote:
> Sorry if my question seem to be simple but I've read the ldap.conf
> manpage and I would like to clarify what I understood
>
> ldap.conf is the configuration file read by the ldap client.
>
> TLS_REQCERT never
> means that the client doesn't ask the server for a certificate.
> Therefore the server will not sent its certificate. Even for LDAPS (LDAP
> over SSL)

The text of the manpage is misleading: in TLS/SSL, the client does not
'request' a server certificate.  Whether the server sends its certificate
is not under the client control, but rather is a property of the
cipher-suite that was selected.  For example, with AES256-SHA the server
cert is always sent.  (And no, TLS_REQCERT has no effect on the
cipher-suite selection.)

So, setting it to "never" just tells the client to do no checking of the
server certificate, if any, that is received.

(Note also: at least when using OpenSSL, the 'try' setting behaves exactly
the same as 'demand' and 'hard'.)


...
> I have a few questions though
> 1) The statements TLS_CACERT and TLS_CACERTDIR seem to be a bit
>    redundant. Why use the TLS_CACERT statement, we can have multiple CA
>    cert right ?

Sometimes it's easier to administer a single file of multiple certs
instead of a directory of hashed certificate names.


(On the server side, the certs in the olcTLSCACertificateFile file are
also used to generate the optional list of CA subjects included in the
client cert request, though many (most?) client ignore that list.)


> 2) I read that some people tell to have both "TLS_REQCERT never" and
> "TLS_CACERTDIR" or "TLS_CACERT". Why would you specify a CA cert if our
> client doesn't request and certificate from the LDAP server ?

It's probably pointless.  I suppose it's possible to use "TLS_REQCERT
never" but also use client certs, in which case the client might need to
send certs for intermediate CA...but that would be a bizarre use-case.


> 3) I will use "TLS_CACERT" and "TLS_KEY" on my client, if I want my
>    client to be authenticated by the LDAP server

If you want to use TLS/SSL client certificate authentication, yes.  That
doesn't directly affect the identity it binds as, of course.


> 4) All these statements are also valid for LDAP over SSL. Correct ?

Yes.


Philip Guenther