using tls in openldap
leilei175 at gmail.com
leilei175 at gmail.com
Mon Sep 28 08:40:45 UTC 2009
Hi
I have a question on the usage of tls in openldap.
I have set my ldap.conf file as
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand
In my understanding, "TLS_REQCERT demand" would ensure that a
certificate is requested. If no certificate is provided,
the session should be immediately terminated.
I didn't put any certificate in /etc/openldap/cacerts directory, but
ldapsearch succeeded without any error.
If I remove the line of "TLS_CACERTDIR /etc/openldap/cacerts", with
everything else the same, ldapsearch would fail with
"
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
"
I don't understand why this would happen.
Without set the TLS_CACERTDIR, ldapsearch would fail. Setting
TLS_CACERTDIR as an empty directory,the ldapsearch works fine.
Is this the expected behavior or a bug?
Any suggestion is appreciated.
Thanks
lei
More information about the redhat-list
mailing list