[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldaprc with ldaps:// and ldap:// fallback
manu@netbsd.org (Emmanuel Dreyfus) writes:
> Hello
>
> I would like to setup a ldaprc so that an application uses:
> - a localhost-base slapd without authentification (just relying on
> filesystem permission on the slapd socket)
> - if it is not available, a remote slapd, authenticating using client
> certificate
>
> Here is the desired ldaprc:
> BASE dc=example,dc=net
> URI ldapi:/// ldaps://ldap.example.net
> TLS_CACERT /etc/openssl/ca.crt
> TLS_CERT /etc/openssl/host.crt
> TLS_KEY /etc/openssl/host.key
> SASL_MECH EXTERNAL
> TLS_REQCERT demand
>
> Of course it will not work, as the ldapi:/// connection will present a
> certificate. I have the feeling the setup I am looking for cannot be
> configured. Is that right?
No, ldapi:/// doesn't present a certificate, but you may establish a
startTLS session to ldapi:///, in this case the client requests a
server certificate.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6