[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback

To: openldap-technical@openldap.org
Subject: Re: ldaprc with ldaps:// and ldap:// fallback
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 23 Jun 2010 19:11:54 +0200
In-reply-to: <1jkj5xb.jsy4hdg8t7x1M%manu@netbsd.org> (Emmanuel Dreyfus's message of "Wed, 23 Jun 2010 08:27:34 +0200")
References: <1jkj5xb.jsy4hdg8t7x1M%manu@netbsd.org>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

manu@netbsd.org (Emmanuel Dreyfus) writes:

> Hello
>
> I would like to setup a ldaprc so that an application uses:
> - a localhost-base slapd without authentification (just relying on
> filesystem permission on the slapd socket) 
> - if it is not available, a remote slapd, authenticating using client
> certificate
>
> Here is the desired ldaprc:
> BASE            dc=example,dc=net
> URI             ldapi:/// ldaps://ldap.example.net
> TLS_CACERT      /etc/openssl/ca.crt
> TLS_CERT        /etc/openssl/host.crt
> TLS_KEY         /etc/openssl/host.key
> SASL_MECH       EXTERNAL
> TLS_REQCERT     demand
>
> Of course it will not work, as the ldapi:/// connection will present a
> certificate. I have the feeling the setup I am looking for cannot be
> configured. Is that right?

No, ldapi:/// doesn't present a certificate, but you may establish a
startTLS session to ldapi:///, in this case the client requests a
server certificate.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: PROBLEM: can't use SASL to authentication openldap client
Next by Date: Re: smbk5pwd: ldappassword hangs
Index(es):
- Chronological
- Thread