On Tue, Mar 13, 2012 at 11:30 AM, Rich Megginson <[email protected]>wrote:
> On 03/13/2012 12:03 PM, Peter Wood wrote: > > > > On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <[email protected]>wrote: > >> --On Monday, March 12, 2012 6:52 PM -0700 Peter Wood < >> [email protected]> wrote: >> >> Hi, >>> >>> >>> I setup openldap-2.4.23 server >>> >> >> Why? I'd suggest you start with the current release, 2.4.30. You may >> also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197> >> >> > That's the openldap version in centos6.2 repo. In production I try to > stick with stock versions. > > Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] > with the same result. > > I don't think StartTLS is enabled. I'm wondering if just setting > olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile > is enough to get StartTLS enabled. > > Yes, it is. > > > It's very frustrating. I'd hate to go to ldaps just because I can't get > StartTLS working. > > Is there anything else I have to set on the server to get StartTLS > working? > > Can you provide the exact command line you are using to test the server > connection? Note that if the client is using regular LDAP and not LDAPS > nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing. > This is exactly what I'm seeing. I misunderstood the documentation. I thought that when olcTLSVerifyClient is set to demand then a valid certificate is required and the connection will drop if one is not provided. > > If you are trying to make the client always use SASL/EXTERNAL auth with a > valid client cert, you must first force the server to reject any > non-TLS/SSL connection using the sasl-secprops minssf setting. > Yes. I'd like the server to reject any non-TLS/SSL connections. I'll look into the settings you mentioned. As I was typing this I received a few more answers. Thank you very much. Last question: If the FQN of the client is server1.mydomain.com and in the certificate the commonName is server1.mydomain.com but in openldap the DSE is "dc=hr,dc=mydomain,dc=com". Will that work or the DSE has to match the domain name i.e. "dc=mydomain,dc=com"? Thank you Peter
