[CentOS] LDAP Server Access Problem

Sun Feb 28 18:22:17 UTC 2010
Craig White <craigwhite at azapple.com>

On Sun, 2010-02-28 at 10:07 -0700, Paul R. Ganci wrote:
> On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote:
> > Note that ldap 'client' applications like ldapsearch
> > use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
> > used by the 2 machines are different.
> 
> I thought I would follow up on this problem. I did finally get the
> ldapsearch  to function properly on the remote machine. However, I am
> puzzled as to what I had to do to get it to work. I originally never
> setup a certificate for the client as I did not think they were needed.
> In my /etc/openldap/slapd.conf file I had to set up the LDAP server with
> the following:
> 
> TLSVerifyClient never
> 
> I had the initial setup with
> 
> TLSVerifyClient allow
> 
> According to man slapd.conf:
> 
> TLSVerifyClient <level>
>        Specifies what checks to perform on client certificates in  an  incoming
>        TLS  session,  if  any.   The  <level>  can  be  specified as one of the
>        following keywords:
> 
>        never  This is the default.   slapd  will  not  ask  the  client  for  a
>               certificate.
> 
>        allow  The  client  certificate  is  requested.   If  no  certificate is
>               provided, the session proceeds normally.  If a bad certificate is
>               provided, it will be ignored and the session proceeds normally.
> 
>        try    The  client  certificate  is  requested.   If  no  certificate is
>               provided, the session proceeds normally.  If a bad certificate is
>               provided, the session is immediately terminated.
> 
>        demand | hard | true
>               These  keywords  are  all  equivalent, for compatibility reasons.
>               The client  certificate  is  requested.   If  no  certificate  is
>               provided,  or  a  bad  certificate  is  provided,  the session is
>               immediately terminated.
> 
>               Note that a valid client certificate is required in order to  use
>               the  SASL  EXTERNAL  authentication mechanism with a TLS session.
>               As such, a non-default TLSVerifyClient setting must be chosen  to
>               enable SASL EXTERNAL authentication.
> 
> Note that according to the documentation the original setup should have
> worked properly. Why doesn't "allow" work?
----
do you mean other than the fact that this simply talks about TLS Client
and that SSL is deprecated and generally ignored in the documentation?

SSL communication is different than TLS.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.