On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:

> 1 ) Added tls_reqcert demand to the client side
> 2 ) Configured a user to bind instead of anonymous
>      binddn cn=ldapuser,Ou=Users,dc=server,dc=com
>      bindpwd  :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a

Good.

> 3 ) Added olcTLSVerifyClient:demand to server side:

I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.

> Object added to server:
>
> dn: olcDatabase={2}bdb,cn=config
> changetype:modify
> add: olcTLSVerifyClient:demand
>
> Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
> reflected on my configuration

That is because you tried to add it to a database but it is a global option.


Are you really using the BDB database? It has been deprecated for some time now.
I would suggest using MDB.

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------