Re: Doubt

[François Beretti <francois.beretti@enatel.com>]

Gagnesh Kumar a écrit :

> If I specify the entry "TLSVerifyClient demand" in slapd.conf,does this mean
> that I am forcing the clients to send a certificate.
> Do I need to generate client certificates for that?
> In short do I need ca cert,server cert and also the client cert?
>  
yes

slapd.conf (5)


      *TLSVerifyClient* <*level*>
	      Specifies what checks to perform on client  certificates	in  an
	      incoming	TLS  session, if any.  The <*level*> can be specified as
	      one of the following keywords:

	      *never*  This is the default.  *slapd* will not ask the client for a
		     certificate.

	      *allow*  The  client  certificate is requested.  If no certificate
		     is provided, the session proceeds	normally.   If	a  bad
		     certificate  is  provided,  it  will  be  ignored and the
		     session proceeds normally.

	      *try*    The client certificate is requested.  If  no  certificate
		     is  provided,  the  session  proceeds normally.  If a bad
		     certificate  is  provided,  the  session  is  immediately
		     terminated.

	      *demand |* *hard |* *true*
		     These  keywords  are  all	equivalent,  for compatibility
		     reasons.  The client certificate  is  requested.	If  no
		     certificate   is	provided,  or  a  bad  certificate  is
		     provided, the session is immediately terminated.

		     Note that a valid client certificate is required in order
		     to  use the SASL EXTERNAL authentication mechanism with a
		     TLS session.   As	such,  a  non-default  *TLSVerifyClient*
		     setting   must   be   chosen   to	enable	SASL  EXTERNAL
		     authentication.