Hi Andrew

>I suspect that you do not want that. It would force every client to
>have a client-side X.509 certificate. Good for secure authentication,
>but more effort to manage than most people are prepared to handle.

Is it because of the certificte expiration or something like that tha's hard to mantain?

>That is because you tried to add it to a database but it is a global option.
I added to the global section cn=config and do not see it.

>Are you really using the BDB database? It has been deprecated for some time now.
>I would suggest using MDB

Yes my bad, after I went to production, I was told that backend was deprecated,  is there any doc related to migrate from one backend to another or should I reconfigure the whole database from scratch ?

Thanks for your time and support, really appreciated.
Regards.





2014-10-30 9:23 GMT-03:00 Andrew Findlay <andrew.findlay@skills-1st.co.uk>:
On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:

> 1 ) Added tls_reqcert demand to the client side
> 2 ) Configured a user to bind instead of anonymous
>      binddn cn=ldapuser,Ou=Users,dc=server,dc=com
>      bindpwd  :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a

Good.

> 3 ) Added olcTLSVerifyClient:demand to server side:

I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.

> Object added to server:
>
> dn: olcDatabase={2}bdb,cn=config
> changetype:modify
> add: olcTLSVerifyClient:demand
>
> Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
> reflected on my configuration

That is because you tried to add it to a database but it is a global option.


Are you really using the BDB database? It has been deprecated for some time now.
I would suggest using MDB.

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------