[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem when activation TLSVerifyClient demand

To: greg.martin18@verizon.net
Subject: Re: Problem when activation TLSVerifyClient demand
From: JOYDEEP <j.bakshi@unlimitedmail.org>
Date: Wed, 14 Mar 2007 11:54:02 +0530
Cc: openldap-software@openldap.org
In-reply-to: <45F76D2E.1090409@gmartin.org>
References: <45F51693.2000504@unlimitedmail.org> <45F60EE9.6090504@gmartin.org> <45F62967.7060608@unlimitedmail.org> <45F76D2E.1090409@gmartin.org>
User-agent: Thunderbird 1.5 (X11/20060317)

Greg Martin wrote:
> You probably don't want the server cert or key files in the ldap.conf
> file.  Those entries are for client-side certificates.  
OK Greg, I have tested with commenting out
   
             TLS_CERT    and    TLS_KEY   in ldap.conf but still the
problem persist.

> You should only need the CA cert.  Suggest you Re-read the ldap.conf
> man page for TLS entries
>
> \\Greg
>
> JOYDEEP wrote:
>> Greg Martin wrote:
>>  
>>> JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand
>>> requires the the client have a valid certificate for authentication to
>>> the server.  Have you configured ldap.conf with client certificate
>>> information?
>>>
>>> This is not to be confused with the  'TLS_REQCERT  demand'  directive
>>> in the ldap.conf which can direct the client to require the server
>>> certificate to be valid
>>>     
>> Thanks Greg,
>>
>> here is the TLS part of my /etc/openldap/ldap.conf
>>
>> TLS_CACERT /etc/openldap/myca/cacert.pem
>> TLS_CERT   /etc/openldap/myca/servercert.pem
>> TLS_KEY    /etc/openldap/myca/serverkey.pem
>> TLS_REQCERT demand
>>
>> So what to do to solve the problem ?
>> thanks once again for your response.
>>
>>  
>>> \\Greg
>>>
>>> JOYDEEP wrote:
>>>    
>>>> dear list,
>>>>
>>>> I have no problem to execute the command
>>>>                                                ldapsearch -H
>>>> ldaps://  -u  "uid=anupam" -x
>>>>
>>>> here is my TLS part of slapd.conf
>>>> ----------------------------------------
>>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>>> TLSCertificateFile            /etc/openldap/myca/servercert.pem
>>>> TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
>>>> TLSCACertificateFile         /etc/openldap/myca/cacert.pem
>>>> TLSVerifyClient  never
>>>> -----------------------------------------------------------
>>>>
>>>> Now when I change the [TLSVerifyClient  never]   to  
>>>> [TLSVerifyClient  demand]
>>>> and try to execute the same command  *  ldapsearch -H ldaps://  -u
>>>> "uid=anupam" -x  *
>>>> it gives errors like
>>>>
>>>> ldap_bind: Can't contact LDAP server (-1)
>>>>         additional info: error:14094410:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>>>
>>>> Could any one suggest  the problem I have here and the solution
>>>> please ?
>>>>
>>>>         
>>>     
>>
>>
>>   
>
>

References:
- Problem when activation TLSVerifyClient demand
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: Problem when activation TLSVerifyClient demand
  - From: Greg Martin <gmartin@gmartin.org>
- Re: Problem when activation TLSVerifyClient demand
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: Problem when activation TLSVerifyClient demand
  - From: Greg Martin <gmartin@gmartin.org>

Prev by Date: Re: SASL authentication with open ldap
Next by Date: confusion with two ldap.conf in a single system
Index(es):
- Chronological
- Thread