Hello,
is there any way to bind an ldap server using user certificates rather than user/password ?
I have experimented that using "bindmethod=sasl" and "saslmech=external" "tls_cacert=CAFILE" and "tls_cert=PROXYUSERFILE" in olcSyncRepl section, but I would like to also be able to bind ldap with a personnal certificate rather than with a "user/passwd" when using ldapsearch for example.
How should I configure my "ldap.conf" and call "ldapsearch" to bind as such ?
Thanks
--- Olivier
On 03/26/12 17:38 +0200, Olivier wrote:
Hello,
is there any way to bind an ldap server using user certificates rather than user/password ?
I have experimented that using "bindmethod=sasl" and "saslmech=external" "tls_cacert=CAFILE" and "tls_cert=PROXYUSERFILE" in olcSyncRepl section, but I would like to also be able to bind ldap with a personnal certificate rather than with a "user/passwd" when using ldapsearch for example.
How should I configure my "ldap.conf" and call "ldapsearch" to bind as such ?
Add to your ~/.ldaprc:
SASL_MECH EXTERNAL TLS_CERT <filename> TLS_KEY <key> TLS_REQCERT <level>
and in your global ldap.conf (or ~/.ldaprc), configure TLS_CACERT and other appropriate defaults.
Also configure TLSVerifyClient/olcTLSVerifyClient on the server.
See ldap.conf(5) and slapd-config(5) for details.
openldap-technical@openldap.org
-
Dan White -
Olivier