On Sun, 2010-02-28 at 10:07 -0700, Paul R. Ganci wrote: > On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote: > > Note that ldap 'client' applications like ldapsearch > > use /etc/openldap/ldap.conf so I would suspect that the 'certificates' > > used by the 2 machines are different. > > I thought I would follow up on this problem. I did finally get the > ldapsearch to function properly on the remote machine. However, I am > puzzled as to what I had to do to get it to work. I originally never > setup a certificate for the client as I did not think they were needed. > In my /etc/openldap/slapd.conf file I had to set up the LDAP server with > the following: > > TLSVerifyClient never > > I had the initial setup with > > TLSVerifyClient allow > > According to man slapd.conf: > > TLSVerifyClient <level> > Specifies what checks to perform on client certificates in an > incoming > TLS session, if any. The <level> can be specified as one of > the > following keywords: > > never This is the default. slapd will not ask the client for > a > certificate. > > allow The client certificate is requested. If no certificate > is > provided, the session proceeds normally. If a bad certificate > is > provided, it will be ignored and the session proceeds normally. > > try The client certificate is requested. If no certificate > is > provided, the session proceeds normally. If a bad certificate > is > provided, the session is immediately terminated. > > demand | hard | true > These keywords are all equivalent, for compatibility > reasons. > The client certificate is requested. If no certificate > is > provided, or a bad certificate is provided, the session > is > immediately terminated. > > Note that a valid client certificate is required in order to > use > the SASL EXTERNAL authentication mechanism with a TLS > session. > As such, a non-default TLSVerifyClient setting must be chosen > to > enable SASL EXTERNAL authentication. > > Note that according to the documentation the original setup should have > worked properly. Why doesn't "allow" work? ---- do you mean other than the fact that this simply talks about TLS Client and that SSL is deprecated and generally ignored in the documentation?
SSL communication is different than TLS. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
