[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Client - Server Authentication Using Certificates



On Mon, 10 May 2004, Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Igor Brezac
>
> > > So my second questions is what do I need to add to the
> > configuration to
> > > enable this to be done. I have append the relevant lines from the
> > > configuration files to the end of this mail.
>
> > > ldap.conf
> > >
> > > TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
> > > TLS_CERT /etc/grid-security/hostcert.pem
> > > TLS_KEY /etc/grid-security/hostkey.pem
> > >
> > >
> > > slapd.conf
> > >
> > > TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
> > > TLSCertificateFile /etc/grid-security/hostcert.pem
> > > TLSCertificateKeyFile /etc/grid-security/hostkey.pem
> > > TLSVerifyClient demand
> >
> > This will not work unless the hostcert.pem subject is a valid DN.  You
> > probably need to generate a separate client cert (for ldap.conf).
>
> You cannot specify user certificates in ldap.conf. This is clearly stated in
> both the Admin Guide and the manpages. User certificate configuration must be
> done in the user's .ldaprc file.

Thank you for the correction.  I mistakenly assumed Laurence used correct
config files.  My biggest stumbling block when getting SASL/EXTERNAL to
work was to generate good client certs.

Anyway, Laurence should be on the right track now.

-- 
Igor