Hi,
I use TLS for ldap clients to authentify the ldap server. I've created a self
signed CA as well as the server certificate with openssl. The CA is known
on the client side (aka : TLS_CACERT in ldap.conf).
Since I'm using multimaster mode, I also have been able to tell the servers
to authenticate between them for synchronisation (starttls=yes and
tls_cacert=/.../CA.crt in olcSyncrepl)
--> Ok : all this works fine for me.
I now try to bind openldap using a user certificate ( with a subject apporiately
matching the user ldap entry, and signed with with the same CA that is also
known by the server (aka: olcTLSCACertificateFile) ).
I have told the server to attempt to verify the client (olcTLSVerifyClient: try) and
I have declared my user certificate files in my ~/.ldaprc :
TLS_CERT /home/olivier/certs/my.crt
TLS_KEY /home/olivier/certs/my.key
Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y external)
Where am I wrong ?
Note :
On the server side, I don't manage to see the TLS transactions in the logs, is
there any loglevel one would could recommend ?
On the client side, I don't see my certicates to be red by ldapsearch
(aka : ldapsearch -d1).