Re: SASL External Mechanism

[Peter Marschall <peter@adpm.de>]

Hi,

On Wednesday 31 December 2003 18:37, ms419@freezone.co.uk wrote:
> Thanks for your helps. I've double checked my configuration and reread
> the Administrator's Guide. I'm sure I've asserted the client's
> certificate.
>
> The server's "slapd.conf" file contains:
>
> TLSCACertificateFile    /etc/openldap/cacert.pem
> TLSVerifyClient demand
>
> The client's "ldap.conf" file contains:
>
> TLS_CERT        /etc/ldap/cert.pem
> TLS_KEY /etc/ldap/key.pem

are these the only TLS related statementsin yur server'a slapd.conf and your 
client's ldap.conf file ?

AFAIK TLS requires the server to have a certificate.and the client to be able 
to check the certificate from the server.
To do this the client needs the CA's certificate.

Thus you need
  TLSCertificateFile /etc/openldap/servercert.pem
  TLSCertificateKeyFile /etc/openldap/serverkey.pem
with appropriate (i.e. from your CA signed) servercert.pem and serverkey.pem
in your server's slapd.conf. The server's key may not be password protected.

On the client side you need 
  TLS_CACERT /etc/ldap/cacert.pem
in your ldap.conf.

That's at least how I understand it ;-)

Peter

-- 
Peter Marschall
eMail: peter@adpm.de