[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client cert validation



After inspecting source code I've just found that TLS_KEY and TLS_CERT
are ignored if located in /etc/openldap/ldap.conf.
Why does it not written in man ldap.conf(5) explicitly? I've spent two
days of my precious life to dig it out.
Now it works.

2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov <matwey.kornilov@gmail.com>:
> Hello,
>
> I am running openldap 2.4.41 and I've failed to setup client certificate
> validation. TLS works well until olcTLSVerifyClient is set to demand.
> Then I see
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> at client side.
> And
>
> connection_read(11): TLS accept failure error=-1 id=1021, closing
>
> at the serveri side.
> So, I've configured /etc/openldap/ldap.conf as the following to provide
> client TLS certificate paths:
>
> TLS_CACERT /path/to/myroot.pem
> TLS_CACERTDIR /var/lib/ca-certificates/pem/
> TLS_CERT /path/to/my.crt
> TLS_KEY /path/to/my.key
>
> However, when I run openssl s_server -Verify 0 -accept 636 ...
> I see the following:
>
> ERROR
> 140680155473552:error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> certificate:s3_srvr.c:3309:
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT
>
> So, this means that ldapsearch doesn't sent out its client certificate.
> I've also checked with strace tool that it even doesn't access
> certificate file.
>
> So, I am little stuck here. I understand that I am doing something
> wrong, but I cannot figure out what.



-- 
With best regards,
Matwey V. Kornilov
http://blog.matwey.name
xmpp://0x2207@jabber.ru