On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:
> I have followed this link to generate self-signed certificates. I have
> successfully performed server side validation.
I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:
ldapwhoami -x -H ldap://my.server.com/ -ZZ
If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:
LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ
Don't start trying to use any other clients until you have the command-line
ones working properly.
> What if i want to access LDAPS:/
> / from other client. I have copied servercrt.pem and serverkey.pem file on
> client machine, also added servercrt.pem file to client trust store. I'm using
NO! Don't ever give clients the secret key.
Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
