[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL External Mechanism

To: Peter Marschall <peter@adpm.de>
Subject: Re: SASL External Mechanism
From: ms419@freezone.co.uk
Date: Thu, 1 Jan 2004 17:59:39 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200312311948.34211.peter@adpm.de>
References: <F8593836-3862-11D8-9CB1-000A95C71776@freezone.co.uk> <6.0.0.22.0.20031229085212.027a8b38@127.0.0.1> <FE28BBBB-3BB7-11D8-8D23-000A95C71776@freezone.co.uk> <200312311948.34211.peter@adpm.de>

Thanks Peter, the TLS statements you mention are in my configuration. I omitted them because verification of the server by the client seems to be working ...

Cheers,

Jack

On Dec 31, 2003, at 10:48 AM, Peter Marschall wrote:

Hi,
On Wednesday 31 December 2003 18:37, ms419@freezone.co.uk wrote:
Thanks for your helps. I've double checked my configuration and reread
the Administrator's Guide. I'm sure I've asserted the client's
certificate.
The server's "slapd.conf" file contains:
TLSCACertificateFile    /etc/openldap/cacert.pem
TLSVerifyClient demand
The client's "ldap.conf" file contains:
TLS_CERT        /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem
are these the only TLS related statementsin yur server'a slapd.conf and your client's ldap.conf file ?

AFAIK TLS requires the server to have a certificate.and the client to be able to check the certificate from the server. To do this the client needs the CA's certificate.

Thus you need TLSCertificateFile /etc/openldap/servercert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem with appropriate (i.e. from your CA signed) servercert.pem and serverkey.pem in your server's slapd.conf. The server's key may not be password protected.
On the client side you need
  TLS_CACERT /etc/ldap/cacert.pem
in your ldap.conf.
That's at least how I understand it ;-)
Peter
--
Peter Marschall
eMail: peter@adpm.de

Prev by Date: Re: Apple's OpenDirectory
Next by Date: Re: bdb_index_read: failed (-30990)
Index(es):
- Chronological
- Thread