[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS configuration needs client certification (why?)
On Aug 25, 2007, at 2:49 PM, Howard Chu wrote:
Frank Cornelissen wrote:
Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30
on debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
I get the following error from slapd (started with -d 8):
TLS: can't accept.
TLS: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate s3_srvr.c:2455
When connecting to the same host but with the ldap protocol (vs
ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client
certficate, but I did not set slapd up that way. The ldap.conf on
the client machines only contains the CA certificate field:
TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt
relevant parts from slapd.conf (included in total at the end of
message):
TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
TLSCACerticateFile /usr/share/ca-certificates/t310/
t310_pem.crt
#TLSVerifyClient never
#TLSCRLCheck none
Uncomment the "TLSVerifyClient never" directive here to work around
this problem.
No, that didn't work. The problem is a bad interaction with
libnss_ldap and slapd, that share the same ldap connection context
(same process). libnss-ldap does (rightfully) want to check the
certificate of the server, and sets this option when it is activated.
That happens after the slapd.conf is read. My solution for now is to
run slapd in a chroot jail which does not reference nss-ldap, so this
problem does not occur.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Frank Cornelissen