On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote: > Note that ldap 'client' applications like ldapsearch > use /etc/openldap/ldap.conf so I would suspect that the 'certificates' > used by the 2 machines are different. I thought I would follow up on this problem. I did finally get the ldapsearch to function properly on the remote machine. However, I am puzzled as to what I had to do to get it to work. I originally never setup a certificate for the client as I did not think they were needed. In my /etc/openldap/slapd.conf file I had to set up the LDAP server with the following: TLSVerifyClient never I had the initial setup with TLSVerifyClient allow According to man slapd.conf: TLSVerifyClient <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords: never This is the default. slapd will not ask the client for a certificate. allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. demand | hard | true These keywords are all equivalent, for compatibility reasons. The client certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. Note that a valid client certificate is required in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be chosen to enable SASL EXTERNAL authentication. Note that according to the documentation the original setup should have worked properly. Why doesn't "allow" work? -- Paul (ganci@xxxxxxxxxx) _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos