fedora-directory-users-request at redhat.com wrote: > Date: Fri, 09 Dec 2005 12:31:01 -0700 > From: David Boreham <david_list at boreham.org> > > >> My thinking is that this somehow has something to do with the TLS_CACERT >> in /etc/openldap/ldap.conf (the certificate for the client). >> >> >> > In general most folk don't need client certs, but AFAIK the openldap > ldapsearch _requires_ that you present a client cert. > Wrong. Client certs are only needed if you want to do certificate-based client authentication, and the default settings do not require them. Of course, the TLS_CACERT directive, as the name suggests, is for setting the path to the CA cert, and by default it *is* required. I think your terminology is imprecise here, so that may be confusing the issue. >> Would this be the issue? >> >> >> > Probably yes. Shouldn't you be using a user-specific ldap.conf for your > client-side config ? > > >> Is there a better method for creating the client certificate from either >> the CA certificate (generated by openssl) or from the FDS Server >> Certificate (also generated by openssl)? >> >> >> > Provided the client cert was signed by the same CA as the server cert, > you should be ok. The client cert has no relationship per se with the > server cert. > Again, the poster was referring to the CA cert on the client, not a "client cert," so dragging that into the discussion is only muddying things. Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the OpenLDAP docs specifically state to use only one or the other, and in general, not to use TLS_CACERTDIR at all. This is the real error; TLS_CACERT must be a fully qualified path to a certificate file. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
