Re: TLSVerifyClient => no login possible

["Dieter Kluenter" <dieter@dkluenter.de>]

Hello,

Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:

> Dieter Kluenter schrieb:
>> Hello Sebastian,
>>
>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>
>>   
>>> Dieter Kluenter schrieb:
>>>     
>>>> Hello Sebastian,
>>>>
>>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>>
>>>>   
>>>>       
>>>>> Dieter Kluenter schrieb:
>>>>>     
>>>>>         
>>>>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
[...]
>
> As I tried to perform "ldapsearch" with TLS enabled I got some output
> about "version trouble" of openldap server and client libraries. But now
> I solved this problem and I have configured "pam_ldap" again.
> The login with "TLSVerifyClient demand" (enabled in slapd.conf) works,
> but not with "tls_checkpeer  yes" in "/etc/ldap.conf". If 
> "tls_checkpeer" is "yes", the login is not possible (output:
> "Permissions on the password database may be too restrictive").
>
> The "strace -o /tmp/ldapsearch.txt ldapsearch -d 1 -x -ZZ -h
> 192.168.0.201 "(uid=*)" " is creating command line output:
[...]

> For strace output take a look at the attached file, please.
> I think that server and client do not comunicate via TLS, or do they?
> And why can I login, but not search (with "tls_checkpeer no")?

Please check the output of
openssl x509 -in <server-key> -text | grep Subject

compare the CN value of Subject with your -h value of ldapsearch and
the host configuration in /etc/ldap.conf

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E