[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using Arbitrary X509 certificates for LDAPS authentication



Hi there,

Are there any restrictions on the DN or other attributes of
credentials used for LDAP authentication?

We are using grid credentials (X509 format) with DNs like this:

issuer= /C=CA/O=Grid/CN=Grid Canada Certificate Authority
subject= /C=CA/O=Grid/CN=host/somehost.somedomain.ca

When I use some grid certs (X509 format)  I see this message in the debug
output from slapd:

connection_read(10): unable to get TLS client DN error=49 id=3

When I try to connect, I get this:

ldap_initialize( ldaps://somehost.somedomain.ca )
ldap_bind: Can't contact LDAP server

The openssl command to create a connection works OK:

CONNECTED(00000003)
---
Certificate chain
  0 s:/C=CA/O=Grid/CN=host/somehost.somedomain.ca
    i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
  1 s:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
    i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=CA/O=Grid/CN=host/somehost.somedomain.ca
issuer=/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2083 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DES-CBC3-SHA
     Session-ID:
43B46528E848663E7C8E9CAAEA4E6DB5E4A9675C05C3066DBD826CD1CF59A566
     Session-ID-ctx:
   Master-Key:
A8245A0731BA98F0D88821346432868C392FEE3F23EAFB9F356A34CB6BB663FC0892374118F280D6284C8E2ACAC3
     Key-Arg   : None
     Start Time: 1251330160
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)

When I use certs created by us with another DN format such as this:

subject= /C=CA/ST=Province/L=Town/O=Organization/OU=Unit/CN=somehost.somedomain.ca/emailAddress=email@somewhere.ca
issuer= /C=CA/ST=Province/O=Organization/OU=Town/CN=Our
CA/emailAddress=email@somewhere.ca

And then make no other changes to the config other than pointing
everything to the new commands I can make a connection.

Any suggestions? Please advise.

Steve