[Date Prev][Date Next]
Re: TLS configuration needs client certification (why?)
On Aug 25, 2007, at 2:49 PM, Howard Chu wrote:
Frank Cornelissen wrote:
No, that didn't work. The problem is a bad interaction with
libnss_ldap and slapd, that share the same ldap connection context
(same process). libnss-ldap does (rightfully) want to check the
certificate of the server, and sets this option when it is activated.
That happens after the slapd.conf is read. My solution for now is to
run slapd in a chroot jail which does not reference nss-ldap, so this
problem does not occur.
why does slapd require a peer/client certificate? I'm slapd 2.3.30
on debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
I get the following error from slapd (started with -d 8):
TLS: can't accept.
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
When connecting to the same host but with the ldap protocol (vs
ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client
certficate, but I did not set slapd up that way. The ldap.conf on
the client machines only contains the CA certificate field:
relevant parts from slapd.conf (included in total at the end of
Uncomment the "TLSVerifyClient never" directive here to work around
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/