Hi all!
The next step is to provide security between client and server.
I have done the openssl preparations according to this tutorial:
http://linsec.ca/bin/view/Main/OpenLDAPAuth#Using_SSL_TLS_with_OpenLDAP
I made the keys, certified them and finally the command:
ldap# openssl x509 -in /etc/ssl/openldap/ldap.cert -text -noout
gives me a reasonable output.
Thus I assume that the openssl-preconditions are ok.
I went on with adding this three lines to the slapd.conf:
TLSCertificateFile /etc/ssl/openldap/ldap.cert
TLSCertificateKeyFile /etc/ssl/openldap/ldap.key
TLSCACertificateFile /etc/ssl/openldap/ca.cert
I set the rights to 0400 and ldap:ldap.
I also put these line to the ldap.conf:
ssl start_tls
Promptly something went wrong as you can see:
Client:
ldap# ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Server:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca /usr/src/crypto/openssl/ssl/s3_pkt.c:1052
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
The command ldapsearch -x -b 'dc=testldap,dc=org' works. Even from a
remote (a
real client ;)) machine.
I apologize if this is too off topic. Despite I hope somebody can push
me in
the right direction.
Thanks to the list which helped a lot so far!
Cheers,
Oliver.