[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem when activation TLSVerifyClient demand
Greg Martin wrote:
> JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand
> requires the the client have a valid certificate for authentication to
> the server. Have you configured ldap.conf with client certificate
> information?
>
> This is not to be confused with the 'TLS_REQCERT demand' directive
> in the ldap.conf which can direct the client to require the server
> certificate to be valid
Thanks Greg,
here is the TLS part of my /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/myca/cacert.pem
TLS_CERT /etc/openldap/myca/servercert.pem
TLS_KEY /etc/openldap/myca/serverkey.pem
TLS_REQCERT demand
So what to do to solve the problem ?
thanks once again for your response.
>
>
> \\Greg
>
> JOYDEEP wrote:
>> dear list,
>>
>> I have no problem to execute the command
>> ldapsearch -H
>> ldaps:// -u "uid=anupam" -x
>>
>> here is my TLS part of slapd.conf
>> ----------------------------------------
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLSCertificateFile /etc/openldap/myca/servercert.pem
>> TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem
>> TLSCACertificateFile /etc/openldap/myca/cacert.pem
>> TLSVerifyClient never
>> -----------------------------------------------------------
>>
>> Now when I change the [TLSVerifyClient never] to
>> [TLSVerifyClient demand]
>> and try to execute the same command * ldapsearch -H ldaps:// -u
>> "uid=anupam" -x *
>> it gives errors like
>>
>> ldap_bind: Can't contact LDAP server (-1)
>> additional info: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>
>> Could any one suggest the problem I have here and the solution please ?
>>
>>
>
>