Restrict client access by certificates

[Xavier Fustero <xavier.fustero@bsc.es>]

Hi,

I have a strange problem with certificates. I would like to have my ldap 
server working through certificates and allow recognized clients to read 
the ldap information. The scenario is:

- ldap server/client (opsids01)
- client (bscsi07)

In my test environment, I have created my own CA who has sign the server 
and the client certificates. Unfortunately the certificates are not 
still working as desired. I would like to allow only opsids01 to read 
the ldap information. However, I still can retrieve the information from 
'opsids01' and 'bscsi07'. It doesn't seem to restrict clients access by 
certificates.

slapd.conf:
------------------
access to *
      by dn="cn=admin,dc=bsc,dc=es" write
      by dn="cn=allowed host,dc=bsc,dc=es" read
      by * none

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile path_to_servercrt.pem
TLSCertificateKeyFile path_to_serverkey.pem
TLSCACertificateFile path_to_cacert.pem
TLSVerifyClient demand

sasl-regexp CN=opsids01.bsc.es "cn=allowed host,dc=bsc,dc=es"

client-server: ~/.ldaprc
----------
TLS_CACERT /path_to_cacert.pem
TLS_CERT /path_to_servercrt.pem
TLS_KEY /path_to_serverkey.pem

Using a command like:   ldapsearch -x -H ldaps://opsids01.bsc.es -b 
'dc=bsc,dc=es' '(objectclass=*)'

the client-server is able to retrieve information from the ldap server. 
According the slapd.conf file, this client should be the only one allow 
to get this information. However, the other client,  bscsi07.bsc.es, 
still can get results from a ldapsearch query. This other client has a 
different CN so it shouldn't be authorize to retrieve anything. Could 
someone help me on this?

Thanks a lot,
Xavi




--
Xavier Fustero Benavent		
Barcelona Supercomputing Center - 
Centro Nacional de Supercomputación (BSC-CNS)
Tel: +34 9341 37718 / Fax: +34 9341 37721