[Fedora-directory-users] TLS for dummies
Howard Chu
hyc at symas.com
Sat Dec 10 05:19:05 UTC 2005
fedora-directory-users-request at redhat.com wrote:
> Date: Fri, 09 Dec 2005 12:31:01 -0700
> From: David Boreham <david_list at boreham.org>
>
>
>> My thinking is that this somehow has something to do with the TLS_CACERT
>> in /etc/openldap/ldap.conf (the certificate for the client).
>>
>>
>>
> In general most folk don't need client certs, but AFAIK the openldap
> ldapsearch _requires_ that you present a client cert.
>
Wrong. Client certs are only needed if you want to do certificate-based
client authentication, and the default settings do not require them. Of
course, the TLS_CACERT directive, as the name suggests, is for setting
the path to the CA cert, and by default it *is* required. I think your
terminology is imprecise here, so that may be confusing the issue.
>> Would this be the issue?
>>
>>
>>
> Probably yes. Shouldn't you be using a user-specific ldap.conf for your
> client-side config ?
>
>
>> Is there a better method for creating the client certificate from either
>> the CA certificate (generated by openssl) or from the FDS Server
>> Certificate (also generated by openssl)?
>>
>>
>>
> Provided the client cert was signed by the same CA as the server cert,
> you should be ok. The client cert has no relationship per se with the
> server cert.
>
Again, the poster was referring to the CA cert on the client, not a
"client cert," so dragging that into the discussion is only muddying things.
Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the
OpenLDAP docs specifically state to use only one or the other, and in
general, not to use TLS_CACERTDIR at all. This is the real error;
TLS_CACERT must be a fully qualified path to a certificate file.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list