[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem in start TLS in LDAP



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kent Soper

> Mohana wrote:
> "But If the client is on some other machine, then without the
> TLS_CACERT
> directive in that machine's ldap.conf file, the tls connection is
> succeding. Isn't this not correct?"
>
> Hmmm, double negative ... the answer is yes.  This is
> correct.  TLS does
> not require a CA cert on the client.  See
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#5.4 and the
> first column shows no CA cert directive in ldap.conf for a basic TLS
> configuration.  This works because only the server
> certificate is needed to
> setup TLS.

Wrong. For a secure session the client and server must both agree on a
trusted CA. This means that the client must recognize the CA that signed the
server's cert, i.e., a copy of the server's CA cert must be explicitly
configured on the client.

The original poster never mentioned what version of software was being used.
It's generally a futile exercise to try to diagnose a problem without such
crucial information.

Older releases of the OpenLDAP library didn't validate the server's cert by
default, and so you could get away with not configuring any CA certs. This is
an insecure practice, and newer versions require proper validation. Most
likely the difference that was observed in the original post is due to
differing software versions or some other element of the system environment.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

>
> Cheers,
> Kent
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> tie line:     678-9216
> external:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>
>                       Mohana Sundaram
>
>                       <msivakum@npd.hcl        To:       Kent
> Soper/Austin/IBM@IBMUS, openldap-software@OpenLDAP.org
>                       tech.com>                cc:
>
>                                                Subject:
> Problem in start TLS in LDAP

>                       09/23/2003 06:34
>
>                       AM
>
>
>
>
>
>
>
>
>
> Hi all,
>
> I have followed the steps in the following document.
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
>
> Step 6 in this document is
>
> 6. Make the CA certificate available to your LDAP clients.
> If the client is on the same machine, copy cacert.pem to a location
> accessible by the client. If clients are on other machines,
> then cacert.pem
> will have to be copied to those machines and also made
> accessible.  quoted
> below:
>
>
> If the client is on the same machine with the following
> ldap.conf file,
>
> TLS_CACERT  /usr/local/var/openldap-data/cacert.pem
> TLS_REQCERT demand
>
> it is working fine. If I comment out TLS_CACERT directive, the tls
> connection request is failing.
> But If the client is on some other machine, then without the
> TLS_CACERT
> directive in that machine's ldap.conf file, the tls connection is
> succeding. Isn't this not correct? Can someone explain this behaviour?
>
> Thanks,
> - Mohan.
>
>
>
>
>
> --
> Mohana Sundaram K.S.
> HCL Technologies
> www.hcltechnologies.com/voip
>
>
>
>