On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote:
> Note that ldap 'client' applications like ldapsearch
> use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
> used by the 2 machines are different.
I thought I would follow up on this problem. I did finally get the
ldapsearch to function properly on the remote machine. However, I am
puzzled as to what I had to do to get it to work. I originally never
setup a certificate for the client as I did not think they were needed.
In my /etc/openldap/slapd.conf file I had to set up the LDAP server with
the following:
TLSVerifyClient never
I had the initial setup with
TLSVerifyClient allow
According to man slapd.conf:
TLSVerifyClient <level>
Specifies what checks to perform on client certificates in an incoming
TLS session, if any. The <level> can be specified as one of the
following keywords:
never This is the default. slapd will not ask the client for a
certificate.
allow The client certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad certificate is
provided, it will be ignored and the session proceeds normally.
try The client certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad certificate is
provided, the session is immediately terminated.
demand | hard | true
These keywords are all equivalent, for compatibility reasons.
The client certificate is requested. If no certificate is
provided, or a bad certificate is provided, the session is
immediately terminated.
Note that a valid client certificate is required in order to use
the SASL EXTERNAL authentication mechanism with a TLS session.
As such, a non-default TLSVerifyClient setting must be chosen to
enable SASL EXTERNAL authentication.
Note that according to the documentation the original setup should have
worked properly. Why doesn't "allow" work?
--
Paul (ganci at nurdog.com)