[Fedora-directory-users] TLS for dummies
Pierangelo Masarati
ando at sys-net.it
Fri Dec 9 21:20:20 UTC 2005
>
>>My thinking is that this somehow has something to do with the TLS_CACERT
>>in /etc/openldap/ldap.conf (the certificate for the client).
>>
>>
> In general most folk don't need client certs, but AFAIK the openldap
> ldapsearch
> _requires_ that you present a client cert.
by default, yes. That's what we call a "safe" default. If you specify
"TLS_REQCERT never", as documented in ldap.conf(5), that does the trick.
>
>>Would this be the issue?
>>
>>
> Probably yes. Shouldn't you be using a user-specific ldap.conf for your
> client-side config ?
>
>>Is there a better method for creating the client certificate from either
>>the CA certificate (generated by openssl) or from the FDS Server
>>Certificate (also generated by openssl)?
>>
>>
> Provided the client cert was signed by the same CA as the server cert,
> you should be ok. The client cert has no relationship per se with the
> server cert.
If the client's CA is not the same as the server's CA, you need the server
to know about the CA's cert, and let it know it's trusted. I don't know
the details for FDS, though. Note that if the client is to verify the
srrver's CA, the same issue with reversed players arises.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati at sys-net.it
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati at sys-net.it
------------------------------------------
More information about the Fedora-directory-users
mailing list