[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd verifyclient fails on demand



Dear Tech list,

I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients in my revocation list.

In order to use this in slapd/ldap utils i use this settings,

slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard

ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
TLS_REQCERT hard

Slapd debug,
55353d59 slapd starting
55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
TLS: can't accept: No certificate was found..
55353d5b conn=1000 fd=16 closed (TLS negotiation failure)

ldapsearch debug,
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
  0000:  30 05 02 01 02 42 00                               0....B.           
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed


As far as i can see and found info my client and servers TLS settings are configured properly.
What i really don't get is that the client doesnt send his certs to the server.


Best regards,
E.therepa