Re: olcTLSVerifyClient: demand not taking effect

To: Peter Wood <peterwood.sd@gmail.com>

Subject: Re: olcTLSVerifyClient: demand not taking effect

From: Rich Megginson <rich.megginson@gmail.com>

Date: Tue, 13 Mar 2012 12:30:54 -0600

Cc: OpenLDAP Tech <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=nv2McrPscg43cn84Ex1LyQ5vkyDUDzMP7o1oqd2Tac8=; b=uFc0sGJBstrO8zjd4USHQRP3Dm3+2/tU823SFPzvQuPMVGmJibJE6PkjMmuYxfRcSD J1TEIphjJ8IU0OgkI5Q1wbw9gujtbdSsrg0M59Om353ouUQ03I6FfDXZUKZ9+J9lMvwv dtJAIh9M/xgxd2jmCvyEnEEVLfYt5ruM5dkfQMLUILCvwE9IiZ5UsETgECf/2MwV5hLR MJF+Eex5ZSS6flypkJoszAcA51BbAYOFn9ALomZX2GurlfAl0YGyPIHXFFau7Ch4chT5 YEvUveeRjrhXiVx13WK3fP/EK8hps2FgS/Ky8e0Y9i44iMef2cjAOA/8y5AGHCef79UG THwg==

In-reply-to: <CAEGK5+m=02yhiGEX+gs2-ENjtaSL5A+Z=4RYbfAJGJ9EG77gEQ@mail.gmail.com>

References: <CAEGK5+=yHii3XWJ9p-zw8VVxWb5mDNrkxzHr435B1K_-wdAgrA@mail.gmail.com> <B3C198583C8721CEAE7DC20F@192.168.1.22> <CAEGK5+m=02yhiGEX+gs2-ENjtaSL5A+Z=4RYbfAJGJ9EG77gEQ@mail.gmail.com>

User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1

On 03/13/2012 12:03 PM, Peter Wood wrote:

On Mon, Mar 12, 2012 at 9:41 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

--On Monday, March 12, 2012 6:52 PM -0700 Peter Wood <peterwood.sd@gmail.com> wrote:

Hi,

I setup openldap-2.4.23 server

Why? I'd suggest you start with the current release, 2.4.30. You may also want to look at <http://www.openldap.org/its/index.cgi/?findid=7197>

That's the openldap version in centos6.2 repo. In production I try to stick with stock versions.

Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.

I don't think StartTLS is enabled. I'm wondering if just setting olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile is enough to get StartTLS enabled.

Yes, it is.

It's very frustrating. I'd hate to go to ldaps just because I can't get StartTLS working.

Is there anything else I have to set on the server to get StartTLS working?

Can you provide the exact command line you are using to test the server connection? Note that if the client is using regular LDAP and not LDAPS nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.

If you are trying to make the client always use SASL/EXTERNAL auth with a valid client cert, you must first force the server to reject any non-TLS/SSL connection using the sasl-secprops minssf setting.

Thanks

Peter