[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd verifyclient fails on demand
Alright, it's clear.
The section in Debian's ldap.conf has the following content,
TLSCertificateKeyFile <filename>
Specifies the file that contains the slapd server private key that matches the certificate stored in the TLSCertificateFile file. Currently, the private key must not be
protected with a password, so it is of critical importance that it is protected carefully.
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of a file that contains the password for the key for the certificate specified with TLSCertificateFile.
The modutil command can be used to turn off password protection for the cert/key database. For example, if TLSCACertificatePath specifes /etc/openldap/certdb as the
location of the cert/key database, use modutil to change the password to the empty string:
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate DB'
You must have the old password, if any. Ignore the WARNING about the running browser. Press 'Enter' for the new password.
Reading this info i would not expect it is not valid in ldap.conf since it is not pointed out here.
Nevertheless i could have read further.
Howard Chu,
If you allow me to ask you something about gnutls directly, do you still stand behind the statement you made here,
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
i know it's out of date but you said 'the code is fundamentally broken'.
I'm not knowledged about the internals of gnutls but i am very cusious if you changed your mind since then.
Best regards,
Etherape
On Mon, Apr 20, 2015 at 02:46:28PM -0500, Dan White wrote:
> On 04/20/15 20:07 +0200, E.therepa wrote:
> >Dear Tech list,
> >
> >I'd like to use CRL's to regulate client connections to my slapd server.
> >So i've build working certs and keys with gnutls. The whole keysetup is tested and working properly,
> >by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients in my revocation list.
> >
> >In order to use this in slapd/ldap utils i use this settings,
> >
> >slapd.conf,
> >TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
> >TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
> >TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
> >TLSCRLFile /etc/ldap/ssl/crl.pem
> >TLSCipherSuite SECURE256:-VERS-SSL3.0
> >TLSVerifyClient hard
> >
> >ldap.conf
> ># TLS certificates (needed for GnuTLS)
> >TLS_CACERT /etc/ldap/ssl/ca-cert.pem
> >TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
>
> This is a user only option. See ldap.conf(5).
>
> >TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
> >TLS_REQCERT hard
> >
> >Slapd debug,
> >55353d59 slapd starting
> >55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
> >TLS: can't accept: No certificate was found..
> >55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
> >
> >ldapsearch debug,
> >ldap_start_tls: Can't contact LDAP server (-1)
> >ldap_free_connection 1 1
> >ldap_send_unbind
> >ber_flush2: 7 bytes to sd 4
> > 0000: 30 05 02 01 02 42 00 0....B.
> >ldap_write: want=7 error=Broken pipe
> >ldap_free_connection: actually freed
> >
> >
> >As far as i can see and found info my client and servers TLS settings are configured properly.
> >What i really don't get is that the client doesnt send his certs to the server.
>
> --
> Dan White
>