So you problem is, that you have signed your server cert with a CA from a CA chain and your clients with another CA and you don't want clients to connect, not signed by your client CA? This sounds more like a case for ACLs and matching rules, since you AFAIK you cannot tell ldap to only trust a CA for server cert verification purposes. A CA is trusted or not. -- Technische Universität Berlin - FGINET Bernd May System Administration An-Institut Deutsche Telekom Laboratories Sekr. TEL 16 Ernst-Reuter-Platz 7 10587 BERLIN GERMANY Mobile: 0160/90257737 E-Mail: bernd@net.t-labs.tu-berlin.de (T-Labs work) WWW: net.t-labs.tu-berlin.de
Attachment:
signature.asc
Description: OpenPGP digital signature