[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient => no login possible



Hello Sebastian,

Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:

> Dieter Kluenter schrieb:
>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>
>>   
>>> Hello,
>>>
>>> I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
>>> the  TLS is activated. All clients are set to "TLS_REQCERT    demand"
>>> and is working.
>>> Then I created client certificates by using the servers Yast2 CA-
>>> management. I copied teh client certificates and also the servers
>>> "cacert" into the "/etc/openldap/" directory on client computer. With
>>> "TLSVerifyClient allow" clients can login, but if I activate the
>>> "TLSVerifyClient demand" option in servers slapd.conf no user can
>>> perform an login and it causes errors in /var/log/messages:
>>>     
>> [...]
>>
>>   
>>> What is wrong? The clients certificate "common name" is set to the
>>> clients hostname. Is this ok?
>>>     
>>
>> Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with
>> debug level 3 to analyse the tls session.
>>
>> -Dieter
>>
>>   
> Hello Dieter,
>
> Now I have set the loglevel to "3" and I get the following output if I
> try to login (still fails):

loglevel is != debug level, man slapd(8), run slapd -d3
> -------------------/var/log/messages---------------------------------------------------------------------

[...]
> Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
> LDAP server - Server is unavailable
[...]

> Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
> Connect error
> -------------------/var/log/messages---------------------------------------------------------------------
>
> I am not sure, if this is an configuration or certificate error? Do You
> understand this output above?

The clients are nss_ldap and pam_ldap, check the clients
configuration for starttls parameters.
With debug level 3 you should see something like

TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1931, written=1931
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert write:warning:close notify

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E