Did you specify these two parameters in your ldap.conf file on the client side?: TLS_REQCERT demand TLS_CACERT /etc/openldap/certs/cacert.pem Sam On Fri, 2005-01-14 at 07:05, Anderson Alves de Albuquerque wrote: > I am listing my steps.... > > - I am doing this steps: > % openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 > > % mkdir /var/myca > % cd /var/myca/ > % /usr/share/ssl/misc/CA.sh -newca > > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem > > % /usr/share/ssl/misc/CA.sh -sign > > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem > % mv newcert.pem /usr/var/openldap-data/servercrt.pem > % mv newreq.pem /usr/var/openldap-data/serverkey.pem > % chmod 400 /usr/var/openldap-data/serverkey.pem > > > > - I created certs to my client: > % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem > % /usr/share/ssl/misc/CA.sh -sign > > % cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem > % mv newcert.pem /usr/var/openldap-data/servercrt.pem > % mv newreq.pem /usr/var/openldap-data/serverkey.pem > % chmod 400 /usr/var/openldap-data/serverkey.pem > > > % mv newcert.pem /home/user/certs/ldap.client.pem > % mv newreq.pem /home/user/certs/keys/ldap.client.key.pem > % chmod 400 /home/user/certs/keys/ldap.client.key.pem > > > > - In my slapd.conf: > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCACertificateFile /tmp/ssl/SSL/cacert.pem > TLSCertificateFile /tmp/ssl/SSL/servercrt.pem > TLSCertificateKeyFile /tmp/ssl/SSL/serverkey.pem > > > > - Im my radiusd.conf: > start_tls=no > tls_cacertfile = /tmp/ssl/SSL/cacert.pem > tls_cacertdir = /tmp/ssl/SSL > port=636 > #tls_certfile = /tmp/ssl/SSL/ldap.client.pem > #tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem > > > > > - I make a test with this config below: > start_tls=no > tls_cacertfile = /tmp/ssl/SSL/cacert.pem > tls_cacertdir = /tmp/ssl/SSL > port=636 > tls_certfile = /tmp/ssl/SSL/ldap.client.pem > tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem > > > > > > > > > On Fri, 14 Jan 2005, Dieter Kluenter wrote: > > > Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes: > > > > > I use my RADIUS make authentication in LDAP server, but I have a > > > problema that I describe below. > > > > > > I created the certificates with > > > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > > > radiusd.conf the configs below, but I have problems. > > > > [...] > > > tls_read: want=5, got=5 > > > 0000: 15 03 01 00 02 ..... > > > tls_read: want=2, got=2 > > > 0000: 02 30 .0 > > > TLS: can't accept. > > > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > > > /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 > > > ^Cslapd shutdown: waiting for 0 threads to terminate > > > slapd stopped. > > > > You did not describe how you created your certificates, but the log > > clearly says that the CA is unknown. This is a good document on > > creating certificates > > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html > > > > -Dieter > > > >
Attachment:
signature.asc
Description: This is a digitally signed message part