[Date Prev][Date Next] [Chronological] [Thread] [Top]
TLSVerifyClient => no login possible

To: openldap-technical@openldap.org
Subject: TLSVerifyClient => no login possible
From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
Date: Tue, 24 Feb 2009 22:40:13 +0100
User-agent: Thunderbird 2.0.0.19 (X11/20081227)
Hello,

I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
the  TLS is activated. All clients are set to "TLS_REQCERT    demand"
and is working.
Then I created client certificates by using the servers Yast2 CA-
management. I copied teh client certificates and also the servers
"cacert" into the "/etc/openldap/" directory on client computer. With
"TLSVerifyClient allow" clients can login, but if I activate the
"TLSVerifyClient demand" option in servers slapd.conf no user can
perform an login and it causes errors in /var/log/messages:
----------------/var/log/messages----------------
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: conn=107 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=107, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=107 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=107 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: conn=108 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=108, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=108 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=108 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: conn=109 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=109, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=109 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=109 sd=14
----------------/var/log/messages----------------
slapd.conf:
---------------/etc/openldap/slapd.conf--------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/dnszone.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
pidfile        /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args
#       Directives needed to implement policy:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

#######################################################################
# BDB database definitions
#######################################################################

loglevel 5
TLSCertificateFile /etc/openldap/servercert.pem
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient demand
database bdb
suffix "dc=lmv,dc=lmv"
rootdn "cn=ldaproot,dc=lmv,dc=lmv"
rootpw "???????"
directory /mnt/lvm/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
database monitor
---------------/etc/openldap/slapd.conf--------
ldap.conf (client):
--------------/etc/openldap/slapd.conf---------
#
# LDAP Defaults
#
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
TLS_CACERT    /etc/openldap/cacert.pem
TLS_CERT    /etc/openldap/clientcert_205.pem
TLS_KEY        /etc/openldap/clientkey_205.pem
TLS_REQCERT    demand
host    192.168.0.201
base    dc=lmv,dc=lmv
--------------/etc/openldap/slapd.conf---------

What is wrong? The clients certificate "common name" is set to the
clients hostname. Is this ok?

-- 
Mit freundlichen GrÃÃen

Sebastian Reinhardt
Follow-Ups:
- Re: TLSVerifyClient => no login possible
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
Prev by Date: ldapmodify command line tool results in 'deferring operation: too many executing'
Next by Date: Re: TLSVerifyClient => no login possible
Index(es):
- Chronological
- Thread