[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind with user cert in ~/.ldaprc ?



It works now !

TLS_CA CERT was in ldap.conf so that was not the problem : it was
a shadow caracter hidden in the CERT filename path.

Stupid really :-(

Thanks for your response !

I take the best to ask this : do you have any advice or suggestion of
readings for production deployement ( aka : do you think that could
consider to generalize this method for my user to authenticate ?)

By "users" I mean internal users to access to internal ressources
includings shells on boxes, and also external users to access to
a webapp that we offer to them.

Thanks again,

---
Olivier







2014-07-17 10:44 GMT+02:00 Dieter KlÃnter <dieter@dkluenter.de>:
Am Thu, 17 Jul 2014 10:03:19 +0200
schrieb Olivier <ldap@guillard.nom.fr>:

> Hi,
>
> I use TLS for ldap clients to authentify the ldap server. ÂI've
> created a self
> signed CA as well as the server certificate with openssl. The CA is
> known on the client side (aka : TLS_CACERT in ldap.conf).
>
> Since I'm using multimaster mode, I also have been able to tell the
> servers to authenticate between them for synchronisation
> (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl)
>
> --> Ok : all this works fine for me.
>
> I now try to bind openldap using a user certificate ( with a subject
> apporiately
> matching the user ldap entry, and signed with with the same CA that
> is also known by the server (aka: olcTLSCACertificateFile) ).
>
> I have told the server to attempt to verify the client
> (olcTLSVerifyClient: try) and
> I have declared my user certificate files in my ~/.ldaprc :
>
> TLS_CERT /home/olivier/certs/my.crt
> TLS_KEY /home/olivier/certs/my.key
>
> Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y
> external)
>
> Where am I wrong ?
>
> Note :
>
> On the server side, I don't manage to see the TLS transactions in the
> logs, is
> there any loglevel one would could recommend ?
>
> On the client side, I don't see my certicates to be red by ldapsearch
> (aka : ldapsearch -d1).
>
> Any help ?

At least, it works for me,
ldapwhoami -Y EXTERNAL -ZZ -H ldap://<my.host>
SASL/EXTERNAL authentication started
SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc
Otherwise run slapd in debug level 3.

-Dieter





--
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E