Date: Fri, 09 Dec 2005 12:31:01 -0700
From: David Boreham <david_list(a)boreham.org>
> My thinking is that this somehow has something to do with the TLS_CACERT
> in /etc/openldap/ldap.conf (the certificate for the client).
In general most folk don't need client certs, but AFAIK the openldap
ldapsearch _requires_ that you present a client cert.
Wrong. Client certs are only needed if you want to do certificate-based
client authentication, and the default settings do not require them. Of
course, the TLS_CACERT directive, as the name suggests, is for setting
the path to the CA cert, and by default it *is* required. I think your
terminology is imprecise here, so that may be confusing the issue.
> Would this be the issue?
Probably yes. Shouldn't you be using a user-specific ldap.conf for your
client-side config ?
> Is there a better method for creating the client certificate from either
> the CA certificate (generated by openssl) or from the FDS Server
> Certificate (also generated by openssl)?
Provided the client cert was signed by the same CA as the server cert,
you should be ok. The client cert has no relationship per se with the
Again, the poster was referring to the CA cert on the client, not a
"client cert," so dragging that into the discussion is only muddying things.
Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the
OpenLDAP docs specifically state to use only one or the other, and in
general, not to use TLS_CACERTDIR at all. This is the real error;
TLS_CACERT must be a fully qualified path to a certificate file.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/