[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: client (non) verification of server SSL certs



You didn't mention which version of OpenLDAP you're using. Recent versions
have cert verification enabled by default, but older versions don't. You can
explicitly set this using TLS_REQCERT (all 2.x.y versions) in
/etc/openldap/ldap.conf. See the ldap.conf(5) man page.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Morris
> Sent: Sunday, October 20, 2002 10:12 AM
> To: openldap-software@OpenLDAP.org
> Subject: client (non) verification of server SSL certs
>
>
> Howdy!
>
> I've successfully set up a slapd with SSL/TLS, both are working.  I've
> been using the openldap tools and GQ to query it, no problem.
>
> The strange thing about it is that I created the CA on the slapd host
> machine.  I deliberately didn't tell my separate client machine about
> the CA (ie. in my RedHat /usr/share/ssl/cert.pem file there's no
> mention of the CA I created on the slapd host).  However, the clients,
> both ldapsearch and GQ, don't seem to mind that they're talking to a
> server using certs that can't be verified!
>
> Reading through the SSL-related posts from the last several months, it
> appears that the 'TLS_CACERT' variable in the /etc/openldap/ldap.conf
> file should point to my /usr/share/ssl/cert.pem file, but setting or
> not setting this makes no difference.
>
> How do I control this behavior to ensure the client verifies the
> servers certificates before continuing with the ldap query?
>
> Thanks for your help!
>
>         John
>
> --
> John Morris
> +852-9777-5286
>
>