[Date Prev][Date Next] [Chronological] [Thread] [Top]

Client auth to slapd TLS issues



Title: Client auth to slapd TLS issues

Hello,
Running openldap -2-3-32 with SLAPD on a linux server.
Also running openldap-2-3.32 on a linux client.

slapd.conf includes:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/newkey.pem
TLSVerifyClient never (or allow)


Issue1: Here is the debug output from the openldap code if the ldap.conf file has the following in it when I try authentication:

TLS_CACERT cacert.pem
TLS_CACERTDIR /usr/local/etc/openldap/


Login: ldapuser2
Password: *********ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 140.179.180.135:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 140.179.180.135:389
ldap_connect_timeout: fd: 6 tm: 5 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x100141d0 msgid 1
ldap_chkResponseList ld 0x100141d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100141d0 NULL
wait4msg ld 0x100141d0 msgid 1 (infinite timeout)
wait4msg continue ld 0x100141d0 msgid 1 all 1
** ld 0x100141d0 Connections:
* host: 140.179.180.135  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul 20 09:26:37 2006

** ld 0x100141d0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x100141d0 Response Queue:
   Empty
ldap_chkResponseList ld 0x100141d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100141d0 NULL
ldap_int_select
read1msg: ld 0x100141d0 msgid 1 all 1
read1msg: ld 0x100141d0 msgid 1 message type extended-result
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x100141d0 0 new referrals
read1msg:  mark request completed, ld 0x100141d0 msgid 1
request done: ld 0x100141d0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS: could not load verify locations (file:`cacert.pem',dir:`/usr/local/etc/openldap/').
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:104
TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274
ldap_err2string

Now, that pem file "cacert.pem" is in /usr/local/etc/openldap.

Can anyone tell me why I get this error?

Also I thought that with "TLSVerifyClient never" that the server wouldn't even ask for the client's certificate or if "allow" it would ask but wouldn't care if it was not there or could not be verified.

*****************************************************************************************************************************************************

Issue2: Here is the debug output from the openldap code if the ldap.conf file does not have the "TLS_CACERT cacert.pem" or "TLS_CACERTDIR /usr/local/etc/openldap/" in it when I try authentication:


Login: ldapuser2
Password: *********ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 140.179.169.185:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 140.179.180.135:389
ldap_connect_timeout: fd: 6 tm: 5 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x100141d0 msgid 1
ldap_chkResponseList ld 0x100141d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100141d0 NULL
wait4msg ld 0x100141d0 msgid 1 (infinite timeout)
wait4msg continue ld 0x100141d0 msgid 1 all 1
** ld 0x100141d0 Connections:
* host: 140.179.180.135  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul 20 10:05:12 2006

** ld 0x100141d0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x100141d0 Response Queue:
   Empty
ldap_chkResponseList ld 0x100141d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x100141d0 NULL
ldap_int_select
read1msg: ld 0x100141d0 msgid 1 all 1
read1msg: ld 0x100141d0 msgid 1 message type extended-result
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x100141d0 0 new referrals
read1msg:  mark request completed, ld 0x100141d0 msgid 1
request done: ld 0x100141d0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino@mrv.com, issuer: /C=US/ST=Massachusetts/L=Littleton/O=MRV Inc/OU=Engineering/CN=DerJer/emailAddress=pino@mrv.com

TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string

I guess my question here is similar to the above.
If TLSVerifyClient is set to never or allow, I get the above error.

Can anyone tell me why I get this error?

Any help would be most appreciated.
Thanks,
Phil Bellino
============================
Phil Bellino
MRV Communications, Inc.
Boston Product Division
295 Foster St.
Littleton,MA 01460
Tel: (978)952-4807
Email: pbellino@mrv.com
============================