[Date Prev][Date Next] [Chronological] [Thread] [Top]

client (non) verification of server SSL certs



Howdy!

I've successfully set up a slapd with SSL/TLS, both are working.  I've
been using the openldap tools and GQ to query it, no problem.

The strange thing about it is that I created the CA on the slapd host
machine.  I deliberately didn't tell my separate client machine about
the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
mention of the CA I created on the slapd host).  However, the clients,
both ldapsearch and GQ, don't seem to mind that they're talking to a
server using certs that can't be verified!

Reading through the SSL-related posts from the last several months, it
appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
file should point to my /usr/share/ssl/cert.pem file, but setting or
not setting this makes no difference.

How do I control this behavior to ensure the client verifies the
servers certificates before continuing with the ldap query?

Thanks for your help!

        John

-- 
John Morris
+852-9777-5286