At 11:42 AM 9/22/2006, Dan O'Reilly wrote: >That indicates that client certificates are optional, only required to >validate using SASL (which I'm not trying to do), so I don't think I need one >(is that correct?). Additionally, am I correct in my interpretation that I >need both a trusted root certificate from the CA plus a server certificate?
You need to configure the client with sufficient information so that it can 'verify' the server certificate, namely the CA certificate which signed the server certificate. 12.2.2.1. TLS_CACERT <filename> This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply. 12.2.1.1. TLSCACertificateFile <filename> This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.
