For clarification, /etc/ldap.conf is the LDAP PAM configuration file.
User-only TLS directives do not belong in the OpenLDAP client ldap.conf
file.
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
Martin Lesser
<admin-openldap@better-co To: openldap-software@OpenLDAP.org
m.de> cc:
Sent by: Subject: Re: Different TLSVerifyClient possible?
owner-openldap-software@O
penLDAP.org
08/12/2003 12:39 PM
Martin Lesser <admin-openldap@better-com.de> writes:
> For the slapd running on 127.0.0.1 I want to reduce TLSVerifyClient to
> never so only the slapd serving the external adress strictly depends on
> a valid client-cert. Otherwise I had to generate a client-cert for each
> local service which uses ldap.
... without pam_ldap
One solution which works is to add TLS_KEY and TLS_CERT to
/etc/ldap.conf so local services querying the slapd can use the certs
defined in ldap.conf if they also use pam_ldap.
But that's IMO suboptimal.
Martin