On Friday 25 July 2008 01:13:37 John Oliver wrote:
On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
Any client will need to know about the CA that signed your self-signed cert.
I created my certificate with:
openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 3650
In slapd.conf I have:
TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
What do I need to do differently?
Configure the *client* ??? Look at the TLS_CACERT directive in the ldap.conf(5) man page, and the tls_cacertfile directive in the pam_ldap(5) and nss_ldap(5) man pages (if your pam_ldap/nss_ldap is new enough to have man pages).
Now, unless you've split the cert out separately, you're most likely going to be exposing the private key as well, which means there's pretty much no point to your encryption ....
Regards, Buchan