|
I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system: I believe I have TLS encryption working but I'd like to be able to verify my client connections. On my LDAP server I have the following in slapd.conf TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem On the client I have the following in /etc/ldap.conf uri ldaps://10.70.5.67/ ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no On the client /etc/openldap/ldap.conf URI ldaps://10.70.5.67/ TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand These commands work both from the client and server. openssl s_client -connect servername:636 -showcerts ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W So my first question would be does this guarantee encrypted sessions? Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients? -Mike |