[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcTLSVerifyClient: demand not taking effect

Peter Wood wrote:



On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com
<mailto:quanah@zimbra.com>> wrote:

    --On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
    <peterwood.sd@gmail.com <mailto:peterwood.sd@gmail.com>> wrote:

        Hi,


        I setup openldap-2.4.23 server


    Why?  I'd suggest you start with the current release, 2.4.30.  You may
    also want to look at <http://www.openldap.org/its/__index.cgi/?findid=7197
    <http://www.openldap.org/its/index.cgi/?findid=7197>>


That's the openldap version in centos6.2 repo. In production I try to stick
with stock versions.

Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the
same result.

I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is
enough to get StartTLS enabled.

It's very frustrating. I'd hate to go to ldaps just because I can't get
StartTLS working.

Is there anything else I have to set on the server to get StartTLS working?
No. StartTLS is an LDAP Request, the client has to ask for it. There is nothing a server can do to initiate it.
The TLSVerifyClient setting only affects sessions where the client has already initiated TLS. To force connections to require TLS, look at the olcRequires and olcSecurity settings in slapd-config(5). 

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/