[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about /etc/openldap/ldap.conf



Rogov Stepan <rogov@promo.ru> writes:

> Hi there!
>
> I have openldap 2.4.21. I configured it with ssl(ldaps) and
> "TLSVerifyClient demand".
>
> On the client side file /etc/openldap/ldap.conf contains the following:
> TLS_CACERT /etc/ssl/servercert.ca.crt
> TLS_CERT /etc/openldap/client.crt
> TLS_KEY /etc/openldap/client.key
>
> But samba and ldap-standard tools (eg ldapsearch) don't connect to
> ldap-server:
> TLS trace: SSL3 alert read: fatal: handshake failure
> TLS trace: SSL_connect: failed in SSLv3 read finished A
> TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES:
> sslv3 alert handshake failure.
> ldap_err2string
> ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)
>
> If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use
> variables $LDAP<uppercase option name>, then everything works fine.
> I assume that options TLS_CERT and TLS_KEY aren't read from
> /etc/openldap/ldap.conf. Correspondingly the server can not verify
> client certificates.
> But the manual says:
> "Thus the following files and variables are read, in order:
> variable $LDAPNOINIT, and if that is not set:
> system file /etc/openldap/ldap.conf,
> user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc,
> system file $LDAPCONF,
> user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
> variables $LDAP<uppercase option name>.
> Settings late in the list override earlier ones."

If you read ldap.conf(5) carefully you will read:

Some options are user-only.  Such options are ignored if present in the
ldap.conf (or file specified by LDAPCONF).

And it is logical that TLS_CERT and TLS_KEY are not global
configuration parameters but only user specific parameters.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E