On Sun, 2010-02-28 at 10:07 -0700, Paul R. Ganci wrote:
On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote:
Note that ldap 'client' applications like ldapsearch use /etc/openldap/ldap.conf so I would suspect that the 'certificates' used by the 2 machines are different.
I thought I would follow up on this problem. I did finally get the ldapsearch to function properly on the remote machine. However, I am puzzled as to what I had to do to get it to work. I originally never setup a certificate for the client as I did not think they were needed. In my /etc/openldap/slapd.conf file I had to set up the LDAP server with the following:
TLSVerifyClient never
I had the initial setup with
TLSVerifyClient allow
According to man slapd.conf:
TLSVerifyClient <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords:
never This is the default. slapd will not ask the client for a certificate. allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. Note that a valid client certificate is required in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be chosen to enable SASL EXTERNAL authentication.
Note that according to the documentation the original setup should have worked properly. Why doesn't "allow" work?
---- do you mean other than the fact that this simply talks about TLS Client and that SSL is deprecated and generally ignored in the documentation?
SSL communication is different than TLS.
Craig