Re: open LDAP + TLS/SSL bind Failed.

["vijay s sheelavantar" <s_vijay65@rediffmail.com>]

Thank you very much Buchan.

I have changed the certificate creation method. Now I created the certificates using CA.sh of openssl.

I followed the instruction given in the below link to create the certificates.

http://octaldream.com/~scottm/talks/ssl/opensslca.html

1. At the server side now i am able to do ldapsearch and ldapadd, as i have chenged the /usr/local/etc/openldap/ldap.conf on server to remove IP address. I have made necessary changes in /etc/hosts file also.

BASE    dc=samsung,dc=com

URI     ldaps://localhost.localdomain/

TLS_CACERT      /etc/pki/CA/cacert.pem

TLS_CACERTDIR   /etc/pki/CA/

2.slapd.conf details for TLS are as follows

TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA

TLSCACertificatePath    /etc/pki/CA/

TLSCACertificateFile    /etc/pki/CA/cacert.pem

TLSCertificateFile      /etc/pki/tls/misc/newcert.pem

TLSCertificateKeyFile   /etc/pki/tls/misc/newkey.pem

TLSVerifyClient         allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com

uri ldaps://localhost.localdomain/

tls_cacertfile  /etc/openldap/cacerts/cacert.pem

tls_cert /etc/openldap/cacerts/newcert.pem

pam_password md5

nss_map_attribute gecos description

When the "TLSVerifyClient  allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient  demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure

TLS trace: SSL_accept:error in SSLv3 read client certificate B

TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate.

connection_read(12): TLS accept failure error=-1 id=1005, closing

connection_closing: readying conn=1005 sd=12 for close

connection_close: conn=1005 sd=12

daemon: activity on 1 descriptor

daemon: activity on:

daemon: removing 12

conn=1005 fd=12 closed (TLS negotiation failure)

please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,

Vijay S.

Treat yourself at a restaurant, spa, resort and much more with Rediff Deal ho jaye!