On Fri, 2005-12-09 at 21:19 -0800, Howard Chu wrote: > fedora-directory-users-request at redhat.com wrote: > > Date: Fri, 09 Dec 2005 12:31:01 -0700 > > From: David Boreham <david_list at boreham.org> > > > > > >> My thinking is that this somehow has something to do with the TLS_CACERT > >> in /etc/openldap/ldap.conf (the certificate for the client). > >> > >> > >> > > In general most folk don't need client certs, but AFAIK the openldap > > ldapsearch _requires_ that you present a client cert. > > > > > Wrong. Client certs are only needed if you want to do certificate-based > client authentication, and the default settings do not require them. Of > course, the TLS_CACERT directive, as the name suggests, is for setting > the path to the CA cert, and by default it *is* required. I think your > terminology is imprecise here, so that may be confusing the issue. ---- indeed - awesome clarification - thanks ---- > > >> Would this be the issue? > >> > >> > >> > > Probably yes. Shouldn't you be using a user-specific ldap.conf for your > > client-side config ? > > > > > >> Is there a better method for creating the client certificate from either > >> the CA certificate (generated by openssl) or from the FDS Server > >> Certificate (also generated by openssl)? > >> > >> > >> > > Provided the client cert was signed by the same CA as the server cert, > > you should be ok. The client cert has no relationship per se with the > > server cert. > > > > Again, the poster was referring to the CA cert on the client, not a > "client cert," so dragging that into the discussion is only muddying things. > > Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the > OpenLDAP docs specifically state to use only one or the other, and in > general, not to use TLS_CACERTDIR at all. This is the real error; > TLS_CACERT must be a fully qualified path to a certificate file. ---- the original poster was completely confused by this and has now learned much from the clarification provided. Thanks Howard Craig
