I have authentication working using TLS on my RH5 servers with openldap 2.3, but was looking for some clarification on the TLS directives in slapd.conf. Most of what I have seen and read states to generate the key and cert (can be done a number of ways) and update the following directives:
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
Which I have done using the "make ldap.pem" in the pki directory on the Redhat server. Both the key and the cert are in a singe file. The directives now read:
TLSCACertificateFile /etc/pki/tls/certs/ldap.pem TLSCertificateFile /etc/pki/tls/certs/ldap.pem TLSCertificateKeyFile /etc/pki/tls/certs/ldap.pem
I place the cert section in the client ldap.conf and all seems to work fine. My question is, what is the function of TLSCACertificateFile directive. I can comment out the directive and authentication still works fine and appears to not have a effect on operation.
Both TLSCertificateFile and TLSCertificateKeyFile seem to be required if any one of the directives are used.
The man page explanation says it "contains certificates for all of the Certificate Authorities that slapd will recognize." I'm not sure how TLSCACertificateFile should be used, if at all. Just trying to understand how the directive should be implemented.