[Date Prev][Date Next] [Chronological] [Thread] [Top]

Client doesn't send certificate for LDAPS

To: openldap-technical@openldap.org
Subject: Client doesn't send certificate for LDAPS
From: Joshua Schaeffer <jschaeffer0922@gmail.com>
Date: Sat, 08 Mar 2014 06:50:42 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=8nk08XBjoRNaJfBUnNuHoC1nzb9IlSRGrYuooGJDx0I=; b=uDp0RvOSUUXkvnJ0Zk0Sr12lZRM9szrVnyYPk7Ko8rSCr76L3ZUHEkiyclw8NqLbmD i2npMZxOuXoIuOzh6/cstHa7K6wNr1aoHwtwQwZepssIHiDhYGeuNocNXGk0ll746WYt VvO47jRSG5+tz/931ha7Ev3AbkssTYZoSs5fv0LcrOnIdaJX1QusYtwZ0jY4Ueiv0Uc/ Ddi/Xqb/4x4uk+Gvz2Fcdm6ryXWWMAi/Vj3afYJbRZ5NmojdJHpUzbJ6v1zBBZdTT3rq NHxbOLLQRvygS+T7ymW2OZ2jUzGVcgYhkbDl5iguqEVKxGYgGlVUMwdrQcoSCNvpK2ee 24/Q==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10

I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:

root@baneling:~# slapcat -H ldap:///cn=config??base
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 0e827846-3926-1033-9f74-632898b715c9
creatorsName: cn=config
createTimestamp: 20140306025210Z
olcTLSCertificateFile: /etc/ssl/certs/ldap.harmonywave.com.crt
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.harmonywave.com.key
olcTLSCipherSuite: SECURE256
olcTLSVerifyClient: never
entryCSN: 20140308131751.026022Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140308131751Z

This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:

root@baneling:~# slapd -d conns -h ldaps:///
531b1cef @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $
root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
531b1cf0 slapd starting
531b1cf0 daemon: added 3r listener=(nil)
531b1cf0 daemon: added 6r listener=0x7fe2d98326e0
531b1cf0 daemon: added 7r listener=0x7fe2d98327c0
531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf0 daemon: activity on 1 descriptor
531b1cf0 daemon: activity on:531b1cf0
531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4
531b1cf4 daemon: epoll: listen=6 busy
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4
531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: listen=6, new connection on 12
531b1cf4 daemon: added 12r (active) listener=(nil)
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4
531b1cf4 daemon: read active on 12
531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4
531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4
531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4
531b1cf4 daemon: read active on 12
531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero
531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero
TLS: can't accept: The peer did not send any certificate..
531b1cf4 connection_closing: readying conn=1000 sd=12 for close
531b1cf4 daemon: removing 12
531b1cf4 daemon: activity on 1 descriptor
531b1cf4 daemon: activity on:531b1cf4

Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert? Maybe I'm misunderstanding the basic concepts here, I am pretty new to a lot of this. I'm using OpenLDAP 2.4.31, Debian 7, and GnuTLS. Yes, I'm aware of its recent critical security bug and the warnings against it from this group (http://www.openldap.org/lists/openldap-devel/200802/msg00072.html).

Thanks,
Joshua

Follow-Ups:
- Re: Client doesn't send certificate for LDAPS
  - From: Italo Valcy <italovalcy@gmail.com>
- Re: Client doesn't send certificate for LDAPS
  - From: btb@bitrate.net

Prev by Date: RE: set syntax possible in search filter?
Next by Date: Re: Client doesn't send certificate for LDAPS
Index(es):
- Chronological
- Thread