> >>My thinking is that this somehow has something to do with the TLS_CACERT >>in /etc/openldap/ldap.conf (the certificate for the client). >> >> > In general most folk don't need client certs, but AFAIK the openldap > ldapsearch > _requires_ that you present a client cert. by default, yes. That's what we call a "safe" default. If you specify "TLS_REQCERT never", as documented in ldap.conf(5), that does the trick. > >>Would this be the issue? >> >> > Probably yes. Shouldn't you be using a user-specific ldap.conf for your > client-side config ? > >>Is there a better method for creating the client certificate from either >>the CA certificate (generated by openssl) or from the FDS Server >>Certificate (also generated by openssl)? >> >> > Provided the client cert was signed by the same CA as the server cert, > you should be ok. The client cert has no relationship per se with the > server cert. If the client's CA is not the same as the server's CA, you need the server to know about the CA's cert, and let it know it's trusted. I don't know the details for FDS, though. Note that if the client is to verify the srrver's CA, the same issue with reversed players arises. p. -- Pierangelo Masarati mailto:pierangelo.masarati at sys-net.it Ing. Pierangelo Masarati Responsabile Open Solution SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati at sys-net.it ------------------------------------------
