Hi Andrew
I suspect that you do not want that. It would force every client to have a client-side X.509 certificate. Good for secure authentication, but more effort to manage than most people are prepared to handle.
Is it because of the certificte expiration or something like that tha's hard to mantain?
That is because you tried to add it to a database but it is a global
option. I added to the global section cn=config and do not see it.
Are you really using the BDB database? It has been deprecated for some
time now.
I would suggest using MDB
Yes my bad, after I went to production, I was told that backend was deprecated, is there any doc related to migrate from one backend to another or should I reconfigure the whole database from scratch ?
Thanks for your time and support, really appreciated. Regards.
2014-10-30 9:23 GMT-03:00 Andrew Findlay andrew.findlay@skills-1st.co.uk:
On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:
1 ) Added tls_reqcert demand to the client side 2 ) Configured a user to bind instead of anonymous binddn cn=ldapuser,Ou=Users,dc=server,dc=com bindpwd :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a
Good.
3 ) Added olcTLSVerifyClient:demand to server side:
I suspect that you do not want that. It would force every client to have a client-side X.509 certificate. Good for secure authentication, but more effort to manage than most people are prepared to handle.
Object added to server:
dn: olcDatabase={2}bdb,cn=config changetype:modify add: olcTLSVerifyClient:demand
Still I did not corrected my ACL but I do not see
olcTLSVerifyClient:demand
reflected on my configuration
That is because you tried to add it to a database but it is a global option.
Are you really using the BDB database? It has been deprecated for some time now. I would suggest using MDB.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |