[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem when activation TLSVerifyClient demand



JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand requires the the client have a valid certificate for authentication to the server. Have you configured ldap.conf with client certificate information?

This is not to be confused with the 'TLS_REQCERT demand' directive in the ldap.conf which can direct the client to require the server certificate to be valid


\\Greg

JOYDEEP wrote:
dear list,

I have no problem to execute the command
ldapsearch -H ldaps:// -u "uid=anupam" -x


here is my TLS part of slapd.conf
----------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile            /etc/openldap/myca/servercert.pem
TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
TLSCACertificateFile         /etc/openldap/myca/cacert.pem
TLSVerifyClient  never
-----------------------------------------------------------

Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand]
and try to execute the same command * ldapsearch -H ldaps:// -u "uid=anupam" -x *
it gives errors like


ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Could any one suggest  the problem I have here and the solution please ?