Am Thu, 17 Jul 2014 10:03:19 +0200
schrieb Olivier <ldap@guillard.nom.fr>:
At least, it works for me,
> Hi,
>
> I use TLS for ldap clients to authentify the ldap server. ÂI've
> created a self
> signed CA as well as the server certificate with openssl. The CA is
> known on the client side (aka : TLS_CACERT in ldap.conf).
>
> Since I'm using multimaster mode, I also have been able to tell the
> servers to authenticate between them for synchronisation
> (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl)
>
> --> Ok : all this works fine for me.
>
> I now try to bind openldap using a user certificate ( with a subject
> apporiately
> matching the user ldap entry, and signed with with the same CA that
> is also known by the server (aka: olcTLSCACertificateFile) ).
>
> I have told the server to attempt to verify the client
> (olcTLSVerifyClient: try) and
> I have declared my user certificate files in my ~/.ldaprc :
>
> TLS_CERT /home/olivier/certs/my.crt
> TLS_KEY /home/olivier/certs/my.key
>
> Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y
> external)
>
> Where am I wrong ?
>
> Note :
>
> On the server side, I don't manage to see the TLS transactions in the
> logs, is
> there any loglevel one would could recommend ?
>
> On the client side, I don't see my certicates to be red by ldapsearch
> (aka : ldapsearch -d1).
>
> Any help ?
ldapwhoami -Y EXTERNAL -ZZ -H ldap://<my.host>
SASL/EXTERNAL authentication started
SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc
Otherwise run slapd in debug level 3.
-Dieter
--
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E