[Date Prev][Date Next] [Chronological] [Thread] [Top]

Bind with user cert in ~/.ldaprc ?



Hi,

I use TLS for ldap clients to authentify the ldap server. I've created a self
signed CA as well as the server certificate with openssl. The CA is known
on the client side (aka : TLS_CACERT in ldap.conf).

Since I'm using multimaster mode, I also have been able to tell the servers
to authenticate between them for synchronisation (starttls=yes and
tls_cacert=/.../CA.crt in olcSyncrepl)

--> Ok : all this works fine for me.

I now try to bind openldap using a user certificate ( with a subject apporiately
matching the user ldap entry, and signed with with the same CA that is also
known by the server (aka: olcTLSCACertificateFile) ).

I have told the server to attempt to verify the client (olcTLSVerifyClient: try) and
I have declared my user certificate files in my ~/.ldaprc :

TLS_CERT /home/olivier/certs/my.crt
TLS_KEY /home/olivier/certs/my.key

Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y external)

Where am I wrong ?

Note :

On the server side, I don't manage to see the TLS transactions in the logs, is
there any loglevel one would could recommend ?

On the client side, I don't see my certicates to be red by ldapsearch
(aka : ldapsearch -d1).

Any help ?

Thanks

---
Olivier