Hi,

You’ve to take the CA root public key (and in the case the certificate has also an intermediate certificate, both has to be aggregate into the same public key).

Put it on /etc/ssl/certs 

Fill in the /etc/openldap/ldap.conf to configure the TLS requirements : in my platform I’ve set TLS_REQCERT to never. But soon I will config to match the TLS_CACERT

Then config LDAP on the web interface to bind to the directory LDAP. Don’t forget to bind the LDAP using an account w/o rights : a simple user is enough

and tick the TLS square on your LDAP source !

Hello,

What do you mean : “But soon I will config to match the TLS_CACERT” ?

It’s the part I look for, please :-)

I have the following in ldap.conf: TLS_CACERTDIR     /etc/openldap/certs

I just have to put the CA root in /etc/ssl/certs and add this in ldap.conf ?

TLS_REQCERT demand

Thank you

Hi,

I’ve been experiencing some troubles when I try to check the certificate public key.

I think you’re doing the same as I tried: I mean pushing a folder as trusted CA instead of declare the public key of the CA authority where the certificate has been issued.

Try to change the TLS_CACERTDIR to TLS_CACERT : as I wrote on my previous message take care about the complete chain of the CA. If you’ve an intermediate CA, begin with this public key and add the root public key.

Both criterias can’t work together, so comment the line where you’ve the TLS_CACERTDIR.

If needed refer to OpenLDAP client configuration (section 16.2.2)

https://www.openldap.org/doc/admin24/tls.html

Good Luck !