hi, I have a question on using tls on ldap. Hopefully anybody could give a hint on this.
On the client side,I have set the TLS_REQCERT as demand. The TLS_CACERTDIR is also set, but I didn't put any certificate in the directory.
To my surprise, even though no certificate is provided, ldapsearch could still succeed returning the data.
Is this a bug?
the openldap is running on redhat enterprise linux 4, openldap version is openldap-servers-sql-2.2.13-12.el4 openldap-servers-2.2.13-12.el4 openldap-devel-2.2.13-12.el4 openldap-2.2.13-12.el4 openldap-clients-2.2.13-12.el4
Any idea is appreciated!
Thanks lei
leilei175@gmail.com writes:
On the client side,I have set the TLS_REQCERT as demand. The TLS_CACERTDIR is also set, but I didn't put any certificate in the directory.
To my surprise, even though no certificate is provided, ldapsearch could still succeed returning the data.
Is this a bug?
Maybe the root certificate is installed with OpenSSL's default certs.
Those are used if and only if you specify TLS_CACERT - or TLS_CACERTDIR I presume, but I haven't tested that. See: http://www.openldap.org/its/?findid=5582
Hi Lei,
What is the command line you are using with ldapsearch?
You need to specify -Z to start TLS and use certs.
From man ldapsearch:
-Z Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
Give it a try.
On Wed, Oct 21, 2009 at 4:28 AM, Hallvard B Furuseth < h.b.furuseth@usit.uio.no> wrote:
leilei175@gmail.com writes:
On the client side,I have set the TLS_REQCERT as demand. The TLS_CACERTDIR is also set, but I didn't put any certificate in the directory.
To my surprise, even though no certificate is provided, ldapsearch could still succeed returning the data.
Is this a bug?
Maybe the root certificate is installed with OpenSSL's default certs.
Those are used if and only if you specify TLS_CACERT - or TLS_CACERTDIR I presume, but I haven't tested that. See: http://www.openldap.org/its/?findid=5582
-- Hallvard
openldap-technical@openldap.org
-
Hallvard B Furuseth -
leilei175@gmail.com -
Tony G.