Hi,
We
have to implement a 2 way SSL mechanism on a LDAP connector in our product.
In
order to test the implementation, we have chosen openLDAP2.4 as the data
source.
Currently
we have done the following steps:
On
the OpenLDAP end:
1.
Installed OpenLDAP with TLS feature
2.Created
a CA using OpenSSL
/etc/pki/tls/misc/CA ânewca
3.Created a certificate using OpenSSL
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out
newreq.pem
4.Signed the certificate using the CA created
/etc/pki/tls/misc/CA âsign
5. Finally stored the
cacert.pem, newreq.pem and newcert.pem under /opt/openldap/certificate folder
6. Following changes
were made in sldap.conf
TLSCipherSuite MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath /opt/openldap/certificate/
TLSCACertificateFile /opt/openldap/certificate/cacert.pem
TLSCertificateFile /opt/openldap/certificate/servercrt.pem
TLSCertificateKeyFile /opt/openldap/certificate/serverkey.pem
# Use the following if client authentication is
required
TLSVerifyClient demand
7.Similarly a new certificate for client was created
using clientâs details such as host name etc
8.Signed by the previously created CA
On the client side:
1.
Following changes were made in ldap.conf
HOST
spsdel192
PORT 636
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
TLS_CACERT /etc/openldap/certs/cacert.pem
Finally when executing
[root@spsdel193
~]# ldapsearch -v -Z -D cn=root,o=ShawEnterprise -w secret -b
o=accounts,o=shawEnterprise
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (-11)
additional info: TLS error
-12227:SSL peer was unable to negotiate an acceptable set of security
parameters.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@spsdel193 ~]#
Any solution to resolve this issue would be of great
help.
Thanks in advance.
Regards
Vidya