Stefan Scheidewig wrote: > After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 > URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the > ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM > encoded file (see function tlsg_ctx_init in tls_g.c) and a connection > initialization fails trying to read the PKCS#11 URI from the local file system. > > So currently there seems to be no way to configure the OpenLDAP client to look > up the pkcs#11 store for the client key as well as the client certificate to > establish a client authenticated TLS connection. If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature