On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote:
Note that ldap 'client' applications like ldapsearch use /etc/openldap/ldap.conf so I would suspect that the 'certificates' used by the 2 machines are different.
I thought I would follow up on this problem. I did finally get the ldapsearch to function properly on the remote machine. However, I am puzzled as to what I had to do to get it to work. I originally never setup a certificate for the client as I did not think they were needed. In my /etc/openldap/slapd.conf file I had to set up the LDAP server with the following:
TLSVerifyClient never
I had the initial setup with
TLSVerifyClient allow
According to man slapd.conf:
TLSVerifyClient <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords:
never This is the default. slapd will not ask the client for a certificate.
allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.
try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
Note that a valid client certificate is required in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be chosen to enable SASL EXTERNAL authentication.
Note that according to the documentation the original setup should have worked properly. Why doesn't "allow" work?