[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
olcTLSVerifyClient: demand not taking effect
- To: OpenLDAP Tech <openldap-technical@openldap.org>
- Subject: olcTLSVerifyClient: demand not taking effect
- From: Peter Wood <peterwood.sd@gmail.com>
- Date: Mon, 12 Mar 2012 18:52:34 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8ZKQQwFISPoBBDXcZjgebQ8HMkFCuL/pbUNKI18DGb4=; b=dcknhymQeIiNyzcnZ55DiG81wOmGnxLiXIT6AXUeVUjHrEnBLcgOUe1cX+f3mdiHe9 qNkS+427U7RpFe4n0CXAQxCLnICnYbmn2ZWSVqwaj/PdGfXbzOGrq/x0r5ezqb7zemZ+ Qv3n6hCqwObr9m++XTZ5aFtypII4okehfQQDRhaUKlJlv4Epp1XNxuT4M81Ck3irOrGY JQKzyAOiK2NOJ+Lxf6dGP4wFASFKEUjr0rU/YKa4NToMwv6EkOMvuKC6xlZzrLIX5ej9 /tr46OVlXrP6IgGd8GQV3CKfeNs6vHg68hOGvUoxTZRMjlMhveiht9k7xCQfBoRXCb1d Jrpw==
Hi,
I setup openldap-2.4.23 server on centos6.2 using cn=config. The server itself doesn't authenticate through ldap. Network clients are able to authenticate but the network traffic is unencrypted.
Next step is to configure SSL/TLS. I was reading multiple sources of documentation, trying to understand what I'm doing not just follow instructions. I created a CA, generated certificate for the server and setup these in cn=config:
olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldapserver.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldapserver-nopass.key
olcTLSVerifyClient: demand
I was expecting that after slapd restart clients will not being able to authenticate but they still can and the traffic is still unencrypted. On the server if I run tcpdump I can clearly see usernames and passwords.
Service slapd is running as user ldap and I made sure the user has read access to all cert files and private keys. I enabled logging level "olcLogLevel: stats" but I don't see any errors in the log file.
Shouldn't "olcTLSVerifyClient: demand" drop the connection if the client doesn't provide valid certificate?
Thank you for any pointers.
--
Peter