[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS works not proper.

To: openldap-software@OpenLDAP.org
Subject: TLS works not proper.
From: Oliver Hoffmann <oliver.hoffmann@uw-service.de>
Date: Tue, 29 Jun 2004 15:39:47 +0200
Content-disposition: inline
User-agent: KMail/1.6.2

Hi all!

Thanx to Patrick for the link! 
(http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html)

Encryption seems to work half now. These are the new problems.

The entries in my slapd.conf concerning TLS are:
#TSL stuff
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient demand
TLSCertificateFile /etc/ssl/openldap/servercrt.pem
TLSCertificateKeyFile /etc/ssl/openldap/serverkey.pem
TLSCACertificateFile /etc/ssl/openldap/cacert.pem

The server starts ok:
ldap# /usr/local/libexec/slapd -d 256
@(#) $OpenLDAP: slapd 2.2.13 (Jun 23 2004 12:21:56) $
        root@ldap.uwskoeln.de:/var/install/openldap-2.2.13/servers/slapd
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
bdb_db_init: Initializing BDB database
slapd starting

A search from a local user shows:
bash-2.05b$ ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=testldap,dc=org> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

The user's ldaprc:
#
# User specific LDAP settings
#

# Override global directive (if set)
TLS_REQCERT demand

# client authentication
TLS_CERT /home/admin/ldap.client.pem
TLS_KEY /home/admin/ldap.client.key.pem

A search from a remote box doesn't work at all:

user@box:~$ ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_init( ldap, 0 )
ldap_start_tls: Connect error (91)
        additional info: Error in the certificate.
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: Error in the certificate.
user@box:~$

The remote user's ldaprc:
#
# User specific LDAP settings
#
HOST ldap
PORT 389

# Override global directive (if set)
TLS_REQCERT demand

# client authentication
TLS_CERT /home/hoffmann/ldap.client.pem
TLS_KEY /home/hoffmann/ldap.client.key.pem

The questions now are. Where is the user-subtree which I can see with the 
command  ldapsearch -x -b 'dc=testldap,dc=org' from everywhere?
How can I find out what's wrong with the remote box's attempt to connect?

Thank you for help & hints!

Greetings,

Oliver.

Follow-Ups:
- Re: TLS works not proper.
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: RE: Help with 2.2.13 install on Debian
Next by Date: RE: Help with 2.2.13 install on Debian
Index(es):
- Chronological
- Thread