[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_start_tls_s and automatic CA certificate searching

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: ldap_start_tls_s and automatic CA certificate searching
From: Howard Chu <hyc@symas.com>
Date: Fri, 22 Jun 2007 19:05:18 -0700
Cc: Roberto Aguilar <bertosmailbox@gmail.com>, openldap-software@openldap.org
In-reply-to: <hbf.20070623u77l@bombur.uio.no>
References: <e190e3480706220302l112c3229g12769398f7c23d22@mail.gmail.com> <hbf.20070623u77l@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a6pre) Gecko/20070617 SeaMonkey/2.0a1pre

Hallvard B Furuseth wrote:

Roberto Aguilar writes:

Setting TLS_CACERT to the server's CA certificate allows the
connection to go through, but that is not feasible as I need to
connect to servers with different CAs.

I tried looking through ldapsearch.c to find the secret sauce to get
this to work, but was not successful.  Can someone point me in the
right direction.


libldap handles it for ldapsearch.  If you mean you want to set the
CA cert by hand in the program, use
 rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "<CA cert filename>");

Also, as noted in the Admin Guide, you can place multiple CA certs in a single file, and you typically need to do this on clients anyway.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- ldap_start_tls_s and automatic CA certificate searching
  - From: "Roberto Aguilar" <bertosmailbox@gmail.com>
- Re: ldap_start_tls_s and automatic CA certificate searching
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: No search result without rootdn
Next by Date: Re: ldap_start_tls_s and automatic CA certificate searching
Index(es):
- Chronological
- Thread