[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem in start TLS in LDAP






Mohana wrote:
"But If the client is on some other machine, then without the TLS_CACERT
directive in that machine's ldap.conf file, the tls connection is
succeding. Isn't this not correct?"

Hmmm, double negative ... the answer is yes.  This is correct.  TLS does
not require a CA cert on the client.  See
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#5.4 and the
first column shows no CA cert directive in ldap.conf for a basic TLS
configuration.  This works because only the server certificate is needed to
setup TLS.

Cheers,
Kent

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                         
                      Mohana Sundaram                                                                                    
                      <msivakum@npd.hcl        To:       Kent Soper/Austin/IBM@IBMUS, openldap-software@OpenLDAP.org     
                      tech.com>                cc:                                                                       
                                               Subject:  Problem in start TLS in LDAP                                    
                      09/23/2003 06:34                                                                                   
                      AM                                                                                                 
                                                                                                                         
                                                                                                                         




Hi all,

I have followed the steps in the following document.

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

Step 6 in this document is

6. Make the CA certificate available to your LDAP clients.
If the client is on the same machine, copy cacert.pem to a location
accessible by the client. If clients are on other machines, then cacert.pem
will have to be copied to those machines and also made accessible.  quoted
below:


If the client is on the same machine with the following ldap.conf file,

TLS_CACERT  /usr/local/var/openldap-data/cacert.pem
TLS_REQCERT demand

it is working fine. If I comment out TLS_CACERT directive, the tls
connection request is failing.
But If the client is on some other machine, then without the TLS_CACERT
directive in that machine's ldap.conf file, the tls connection is
succeding. Isn't this not correct? Can someone explain this behaviour?

Thanks,
- Mohan.





--
Mohana Sundaram K.S.
HCL Technologies
www.hcltechnologies.com/voip