On 11/06/2010, at 7:27 PM, Jérémy ESCOLANO wrote:
According to what's you are saying, Apache has to verify which certificate ? the CA certificate ? the apache server certificate or the ldap certificate? Thank you for your information that help me to understand better.
It should be the ldap CA certificate in this case, as apache needs to be aware of the LDAP CA.
2010/6/11 Dieter Kluenter dieter@dkluenter.de
Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescolano@gmail.com:
Hi, Thankyou for replying,
I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did :
on the openLDAP server:
--->slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile ./ssl2/cacert.cer TLSVerifyClient never
--->ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never
Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
That's all for the openLDAP server, but not enought with apache.
On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains :
TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never
(with cacert.cer in c:\openldap\sysconf\ssl)
It works from now BUT does NOT verify the certificate.
[...]
TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176
The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too)
bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate.
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6