[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd verifyclient fails on demand

To: j.franx@kernelbug.org, openldap-technical@openldap.org
Subject: Re: slapd verifyclient fails on demand
From: Howard Chu <hyc@symas.com>
Date: Mon, 20 Apr 2015 20:39:59 +0100
In-reply-to: <20150420180747.GA10947@kernelbug.org>
References: <20150420180747.GA10947@kernelbug.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 SeaMonkey/2.37a1

E.therepa wrote:

Dear Tech list,

I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients in my revocation list.

In order to use this in slapd/ldap utils i use this settings,

slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard

ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem

TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key

cert and key are invalid in a .conf file. Read the ldap.conf(5) manpagemore carefully.

TLS_REQCERT hard

As far as i can see and found info my client and servers TLS settings are configured properly.
What i really don't get is that the client doesnt send his certs to the server.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- slapd verifyclient fails on demand
  - From: "E.therepa" <ldaptech+Etherape@kernelbug.org>

Prev by Date: Re: Elapsed Time logging
Next by Date: Re: slapd verifyclient fails on demand
Index(es):
- Chronological
- Thread