"Dan O'Reilly" <[EMAIL PROTECTED]> writes: > At 01:48 PM 9/21/2006, Kurt D. Zeilenga wrote: >>At 12:00 PM 9/21/2006, Dan O'Reilly wrote: >> >I'm trying to get an OpenLDAP client to use TLS to talk to >> (non-OpenLDAP) LDAP server. This LDAP server is properly configured >> for TLS (as verified by other (non-OpenLDAP) LDAP clients). >> >>Verify the server is configured properly for LDAP over TLS (ldaps://) >>using the OpenSSL s_client program (with certificate verification >>enabled). > > Well, I guess the specific question I would have here is "what > certificates/keys/etc are even required for this?". When setting up > the LDAP server I was told by the people who supply it that I would > need only a trusted root certificate from the LDAP server to do > authentication, but I was also told by another person at that company > that I would need more than just that one certificate. What > specifically would LDAP need? I suspect my problem isn't really so > much one of a misconfigured server so much as not having all the > necessary certs and/or keys available, that sort of thing.
That depends on what you intent to do. You have three choices: - mere transport encription - trust relation client --> server - mutual trust relation client <--> server In most cases you will opt for integrity checks of the client. For this you have to either create or apply for a certifcate authority (CA), create a server certificate and sign this with your CA. The client has to have knowledge of and access to the CA, while the server has to present the server certificate. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
