[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
client (non) verification of server SSL certs
Howdy!
I've successfully set up a slapd with SSL/TLS, both are working. I've
been using the openldap tools and GQ to query it, no problem.
The strange thing about it is that I created the CA on the slapd host
machine. I deliberately didn't tell my separate client machine about
the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
mention of the CA I created on the slapd host). However, the clients,
both ldapsearch and GQ, don't seem to mind that they're talking to a
server using certs that can't be verified!
Reading through the SSL-related posts from the last several months, it
appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
file should point to my /usr/share/ssl/cert.pem file, but setting or
not setting this makes no difference.
How do I control this behavior to ensure the client verifies the
servers certificates before continuing with the ldap query?
Thanks for your help!
John
--
John Morris
+852-9777-5286