This really is a basic 'cert' issue.

There's a ton of non-openldap coverage of this topic (self-signed and CA purchased certs).

In a nutshell, you'll need to provide a way for your customer's to use a cert of their choosing, and let them sort out how to get their clients to trust the signer of that cert.

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Mon Jul 12 19:20:58 2010
Subject: Another question about LDAP over SSL

Hi everyone.  I have another "duh" question.
 
I am writing software for a proprietary piece of hardware.  I will be using the C libraries for openldap.  I need to write some functions for LDAP so that the UI of the software has the option to authenticate a user via LDAP and LDAP over SSL.  Basically it will just act like a client that will Simple Bind to the LDAP server for authentication.
 
I read the document here.  http://www.openldap.org/faq/data/cache/185.html
 
I followed the instructions on the website to generate the SSL certs.
 
My question is, on the website above it says....
 
"You must also install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf:"
 
Does this mean I need to provide a way to the customer to manually transfer his/her CA cert the proprietary hardware, if they want to use LDAP over SSL???  Or when I use the Start TLS function, do the certs automatically get transfered behind the scene?
 
thanks



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.