>My thinking is that this somehow has something to do with the TLS_CACERT
>in /etc/openldap/ldap.conf (the certificate for the client).
>
>
In general most folk don't need client certs, but AFAIK the openldap
ldapsearch
_requires_ that you present a client cert.
by default, yes. That's what we call a "safe" default. If you specify
"TLS_REQCERT never", as documented in ldap.conf(5), that does the trick.
>Would this be the issue?
>
>
Probably yes. Shouldn't you be using a user-specific ldap.conf for your
client-side config ?
>Is there a better method for creating the client certificate from either
>the CA certificate (generated by openssl) or from the FDS Server
>Certificate (also generated by openssl)?
>
>
Provided the client cert was signed by the same CA as the server cert,
you should be ok. The client cert has no relationship per se with the
server cert.
If the client's CA is not the same as the server's CA, you need the server
to know about the CA's cert, and let it know it's trusted. I don't know
the details for FDS, though. Note that if the client is to verify the
srrver's CA, the same issue with reversed players arises.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------