On Fri, 2005-12-09 at 21:19 -0800, Howard Chu wrote:
fedora-directory-users-request(a)redhat.com wrote:
> Date: Fri, 09 Dec 2005 12:31:01 -0700
> From: David Boreham <david_list(a)boreham.org>
>
>
>> My thinking is that this somehow has something to do with the TLS_CACERT
>> in /etc/openldap/ldap.conf (the certificate for the client).
>>
>>
>>
> In general most folk don't need client certs, but AFAIK the openldap
> ldapsearch _requires_ that you present a client cert.
>
Wrong. Client certs are only needed if you want to do certificate-based
client authentication, and the default settings do not require them. Of
course, the TLS_CACERT directive, as the name suggests, is for setting
the path to the CA cert, and by default it *is* required. I think your
terminology is imprecise here, so that may be confusing the issue.
----
indeed - awesome clarification - thanks
----
>> Would this be the issue?
>>
>>
>>
> Probably yes. Shouldn't you be using a user-specific ldap.conf for your
> client-side config ?
>
>
>> Is there a better method for creating the client certificate from either
>> the CA certificate (generated by openssl) or from the FDS Server
>> Certificate (also generated by openssl)?
>>
>>
>>
> Provided the client cert was signed by the same CA as the server cert,
> you should be ok. The client cert has no relationship per se with the
> server cert.
>
Again, the poster was referring to the CA cert on the client, not a
"client cert," so dragging that into the discussion is only muddying things.
Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the
OpenLDAP docs specifically state to use only one or the other, and in
general, not to use TLS_CACERTDIR at all. This is the real error;
TLS_CACERT must be a fully qualified path to a certificate file.
----
the original poster was completely confused by this and has now learned
much from the clarification provided.
Thanks Howard
Craig