On Sun, 2010-02-28 at 10:07 -0700, Paul R. Ganci wrote: > On Sun, 2010-02-21 at 23:23 -0700, Craig White wrote: > > Note that ldap 'client' applications like ldapsearch > > use /etc/openldap/ldap.conf so I would suspect that the 'certificates' > > used by the 2 machines are different. > > I thought I would follow up on this problem. I did finally get the > ldapsearch to function properly on the remote machine. However, I am > puzzled as to what I had to do to get it to work. I originally never > setup a certificate for the client as I did not think they were needed. > In my /etc/openldap/slapd.conf file I had to set up the LDAP server with > the following: > > TLSVerifyClient never > > I had the initial setup with > > TLSVerifyClient allow > > According to man slapd.conf: > > TLSVerifyClient <level> > Specifies what checks to perform on client certificates in an incoming > TLS session, if any. The <level> can be specified as one of the > following keywords: > > never This is the default. slapd will not ask the client for a > certificate. > > allow The client certificate is requested. If no certificate is > provided, the session proceeds normally. If a bad certificate is > provided, it will be ignored and the session proceeds normally. > > try The client certificate is requested. If no certificate is > provided, the session proceeds normally. If a bad certificate is > provided, the session is immediately terminated. > > demand | hard | true > These keywords are all equivalent, for compatibility reasons. > The client certificate is requested. If no certificate is > provided, or a bad certificate is provided, the session is > immediately terminated. > > Note that a valid client certificate is required in order to use > the SASL EXTERNAL authentication mechanism with a TLS session. > As such, a non-default TLSVerifyClient setting must be chosen to > enable SASL EXTERNAL authentication. > > Note that according to the documentation the original setup should have > worked properly. Why doesn't "allow" work? ---- do you mean other than the fact that this simply talks about TLS Client and that SSL is deprecated and generally ignored in the documentation? SSL communication is different than TLS. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos