[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem when activation TLSVerifyClient demand



You probably don't want the server cert or key files in the ldap.conf file. Those entries are for client-side certificates. You should only need the CA cert. Suggest you Re-read the ldap.conf man page for TLS entries

\\Greg

JOYDEEP wrote:
Greg Martin wrote:
JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand
requires the the client have a valid certificate for authentication to
the server.  Have you configured ldap.conf with client certificate
information?

This is not to be confused with the 'TLS_REQCERT demand' directive
in the ldap.conf which can direct the client to require the server
certificate to be valid
Thanks Greg,

here is the TLS part of my /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/myca/cacert.pem
TLS_CERT   /etc/openldap/myca/servercert.pem
TLS_KEY    /etc/openldap/myca/serverkey.pem
TLS_REQCERT demand

So what to do to solve the problem ?
thanks once again for your response.

\\Greg

JOYDEEP wrote:
dear list,

I have no problem to execute the command
                                               ldapsearch -H
ldaps://  -u  "uid=anupam" -x

here is my TLS part of slapd.conf
----------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile            /etc/openldap/myca/servercert.pem
TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
TLSCACertificateFile         /etc/openldap/myca/cacert.pem
TLSVerifyClient  never
-----------------------------------------------------------

Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand]
and try to execute the same command * ldapsearch -H ldaps:// -u
"uid=anupam" -x *
it gives errors like


ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Could any one suggest  the problem I have here and the solution please ?