[CentOS] LDAP Server Access Problem

Paul R. Ganci ganci at nurdog.com
Sun Feb 28 17:07:13 UTC 2010


On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote:
> Note that ldap 'client' applications like ldapsearch
> use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
> used by the 2 machines are different.

I thought I would follow up on this problem. I did finally get the
ldapsearch  to function properly on the remote machine. However, I am
puzzled as to what I had to do to get it to work. I originally never
setup a certificate for the client as I did not think they were needed.
In my /etc/openldap/slapd.conf file I had to set up the LDAP server with
the following:

TLSVerifyClient never

I had the initial setup with

TLSVerifyClient allow

According to man slapd.conf:

TLSVerifyClient <level>
       Specifies what checks to perform on client certificates in  an  incoming
       TLS  session,  if  any.   The  <level>  can  be  specified as one of the
       following keywords:

       never  This is the default.   slapd  will  not  ask  the  client  for  a
              certificate.

       allow  The  client  certificate  is  requested.   If  no  certificate is
              provided, the session proceeds normally.  If a bad certificate is
              provided, it will be ignored and the session proceeds normally.

       try    The  client  certificate  is  requested.   If  no  certificate is
              provided, the session proceeds normally.  If a bad certificate is
              provided, the session is immediately terminated.

       demand | hard | true
              These  keywords  are  all  equivalent, for compatibility reasons.
              The client  certificate  is  requested.   If  no  certificate  is
              provided,  or  a  bad  certificate  is  provided,  the session is
              immediately terminated.

              Note that a valid client certificate is required in order to  use
              the  SASL  EXTERNAL  authentication mechanism with a TLS session.
              As such, a non-default TLSVerifyClient setting must be chosen  to
              enable SASL EXTERNAL authentication.

Note that according to the documentation the original setup should have
worked properly. Why doesn't "allow" work?

-- 
Paul (ganci at nurdog.com)




More information about the CentOS mailing list