[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap client cert validation
- To: openldap-technical@openldap.org
- Subject: openldap client cert validation
- From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
- Date: Sat, 6 Aug 2016 16:07:43 +0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=USvrqnRSPcRV2eZ9RyIUUmPaVELgSchWPzN6K/xoYN4=; b=SqTt3jbjpFdYQEY5vnTvWvm76Q4ipk54cPhZVPaiDjl73Mecat23UFHDPrX3ktoFcQ g+oJ+cd+5fXkoM2WM1z3ShnbHgniKdVsdFoa/o3gFsrOPHW21UJQQ+co4nhTK9W27Zbw hBnLoN6TdTb89G4M0lsxnMkSXCxdILV0z8QnaBOl8DHafI/zCEZLmXK4Gr1z5bzc3Dac cRklIQvTXQ93oZVnMw+uljV04wMpK+PYuBjv2D8Y3n8Fpc+OfxPYcoW6397RY9e3z4tL PgHty8zDVluf4Cgh1Krx2VpfTg0rhxRPnkM0zJyOEZ1G5x/YxeYe5XoETitsDSddip/S l1YQ==
Hello,
I am running openldap 2.4.41 and I've failed to setup client certificate
validation. TLS works well until olcTLSVerifyClient is set to demand.
Then I see
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
at client side.
And
connection_read(11): TLS accept failure error=-1 id=1021, closing
at the serveri side.
So, I've configured /etc/openldap/ldap.conf as the following to provide
client TLS certificate paths:
TLS_CACERT /path/to/myroot.pem
TLS_CACERTDIR /var/lib/ca-certificates/pem/
TLS_CERT /path/to/my.crt
TLS_KEY /path/to/my.key
However, when I run openssl s_server -Verify 0 -accept 636 ...
I see the following:
ERROR
140680155473552:error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate:s3_srvr.c:3309:
shutting down SSL
CONNECTION CLOSED
ACCEPT
So, this means that ldapsearch doesn't sent out its client certificate.
I've also checked with strace tool that it even doesn't access
certificate file.
So, I am little stuck here. I understand that I am doing something
wrong, but I cannot figure out what.