[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't have a proper SSL connexion to the Server

You have configured slapd.conf to require client certificates, but the client is not configured to provide a certificate. Note that the TLS_CERT and TLS_KEY directives are documented as per-user directives, they have no effect in the ldap.conf file. See the ldap.conf(5) manpage for more information.

Simon Chevrolat wrote:
hi !

I've got a problem in the configuration of OpenLdap to
manage SSL connections, when I try to test this
connection with the ldapadd command, I've got the
following output :

ldapadd -x -D "cn=Manager,dc=localhost" -W -f
init.ldif -H ldaps://localhost
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure

the problem is that it doesn't seem to be a domain
name or certificate problem, indeed when I test the
connection withe the openssl command using the same
certificates as the ones in ldap.conf ,it seems it's
working :

openssl s_client -connect localhost:636 -state
/home/certs/cacert.pem \-cert
/home/certs/ldap.client.cert.pem \-key

I think that it's a problem in the ldap.conf file, but
I checked it and did not find any mistake, I attached
to this message my ldap.conf and slapd.conf files

If anyone can see a solution to this problem I'll be
really grateful



# CA signed certificate and server cert entries:
TLSVerifyClient demand

----ldap.conf------- # # LDAP Defaults #

# See ldap.conf(5) for details
# This file should be world readable but not world

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com

#DEREF never
HOST localhost
PORT 636
TLS_CACERT /home/certs/cacert.pem
TLS_CERT /home/certs/ldap.client.cert.pem
TLS_KEY /home/certs/keys/ldap.client.key.pem

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/