fedora-directory-users-request@redhat.com wrote:> Date: Fri, 09 Dec 2005 12:31:01 -0700 > From: David Boreham <david_list@boreham.org> > > >> My thinking is that this somehow has something to do with the TLS_CACERT >> in /etc/openldap/ldap.conf (the certificate for the client). >> >> >> > In general most folk don''t need client certs, but AFAIK the openldap > ldapsearch _requires_ that you present a client cert. >Wrong. Client certs are only needed if you want to do certificate-based client authentication, and the default settings do not require them. Of course, the TLS_CACERT directive, as the name suggests, is for setting the path to the CA cert, and by default it *is* required. I think your terminology is imprecise here, so that may be confusing the issue.>> Would this be the issue? >> >> >> > Probably yes. Shouldn''t you be using a user-specific ldap.conf for your > client-side config ? > > >> Is there a better method for creating the client certificate from either >> the CA certificate (generated by openssl) or from the FDS Server >> Certificate (also generated by openssl)? >> >> >> > Provided the client cert was signed by the same CA as the server cert, > you should be ok. The client cert has no relationship per se with the > server cert. >Again, the poster was referring to the CA cert on the client, not a "client cert," so dragging that into the discussion is only muddying things. Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the OpenLDAP docs specifically state to use only one or the other, and in general, not to use TLS_CACERTDIR at all. This is the real error; TLS_CACERT must be a fully qualified path to a certificate file. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Howard Chu wrote:>>> My thinking is that this somehow has something to do with the >>> TLS_CACERT >>> in /etc/openldap/ldap.conf (the certificate for the client). >>> >>> >>> >> >> In general most folk don''t need client certs, but AFAIK the openldap >> ldapsearch _requires_ that you present a client cert. >> > > > Wrong. Client certs are only needed if you want to do > certificate-based client authentication, and the default settings do > not require them.That''s good to know. I remember spending a few days trying to persuade OL to do a non-cert-based-auth connection and ultimately failing, but I''m pleased to hear that it can.> Of course, the TLS_CACERT directive, as the name suggests, is for > setting the path to the CA cert, and by default it *is* required. I > think your terminology is imprecise here, so that may be confusing the > issue.Yes, I was reading the OP''s description: ''certificate for the client'', and not the config directive name which as you point out was actually for the CA cert.
On Fri, 2005-12-09 at 21:19 -0800, Howard Chu wrote:> fedora-directory-users-request@redhat.com wrote: > > Date: Fri, 09 Dec 2005 12:31:01 -0700 > > From: David Boreham <david_list@boreham.org> > > > > > >> My thinking is that this somehow has something to do with the TLS_CACERT > >> in /etc/openldap/ldap.conf (the certificate for the client). > >> > >> > >> > > In general most folk don''t need client certs, but AFAIK the openldap > > ldapsearch _requires_ that you present a client cert. > > > > > Wrong. Client certs are only needed if you want to do certificate-based > client authentication, and the default settings do not require them. Of > course, the TLS_CACERT directive, as the name suggests, is for setting > the path to the CA cert, and by default it *is* required. I think your > terminology is imprecise here, so that may be confusing the issue.---- indeed - awesome clarification - thanks ----> > >> Would this be the issue? > >> > >> > >> > > Probably yes. Shouldn''t you be using a user-specific ldap.conf for your > > client-side config ? > > > > > >> Is there a better method for creating the client certificate from either > >> the CA certificate (generated by openssl) or from the FDS Server > >> Certificate (also generated by openssl)? > >> > >> > >> > > Provided the client cert was signed by the same CA as the server cert, > > you should be ok. The client cert has no relationship per se with the > > server cert. > > > > Again, the poster was referring to the CA cert on the client, not a > "client cert," so dragging that into the discussion is only muddying things. > > Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the > OpenLDAP docs specifically state to use only one or the other, and in > general, not to use TLS_CACERTDIR at all. This is the real error; > TLS_CACERT must be a fully qualified path to a certificate file.---- the original poster was completely confused by this and has now learned much from the clarification provided. Thanks Howard Craig