[email protected] (Emmanuel Dreyfus) writes: > Hello > > I would like to setup a ldaprc so that an application uses: > - a localhost-base slapd without authentification (just relying on > filesystem permission on the slapd socket) > - if it is not available, a remote slapd, authenticating using client > certificate > > Here is the desired ldaprc: > BASE dc=example,dc=net > URI ldapi:/// ldaps://ldap.example.net > TLS_CACERT /etc/openssl/ca.crt > TLS_CERT /etc/openssl/host.crt > TLS_KEY /etc/openssl/host.key > SASL_MECH EXTERNAL > TLS_REQCERT demand > > Of course it will not work, as the ldapi:/// connection will present a > certificate. I have the feeling the setup I am looking for cannot be > configured. Is that right?
No, ldapi:/// doesn't present a certificate, but you may establish a startTLS session to ldapi:///, in this case the client requests a server certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
