On 03/13/2012 12:03 PM, Peter Wood wrote:
On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount
<[email protected] <mailto:[email protected]>> wrote:
--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood
<[email protected] <mailto:[email protected]>> wrote:
Hi,
I setup openldap-2.4.23 server
Why? I'd suggest you start with the current release, 2.4.30. You
may also want to look at
<http://www.openldap.org/its/index.cgi/?findid=7197>
That's the openldap version in centos6.2 repo. In production I try to
stick with stock versions.
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true]
with the same result.
I don't think StartTLS is enabled. I'm wondering if just setting
olcTLSCACertificateFile, olcTLSCertificateFile and
olcTLSCertificateKeyFile is enough to get StartTLS enabled.
Yes, it is.
It's very frustrating. I'd hate to go to ldaps just because I can't
get StartTLS working.
Is there anything else I have to set on the server to get StartTLS
working?
Can you provide the exact command line you are using to test the server
connection? Note that if the client is using regular LDAP and not LDAPS
nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
If you are trying to make the client always use SASL/EXTERNAL auth with
a valid client cert, you must first force the server to reject any
non-TLS/SSL connection using the sasl-secprops minssf setting.
Thanks
Peter
