[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about /etc/openldap/ldap.conf

Rogov Stepan wrote:
Hi there!

I have openldap 2.4.21. I configured it with ssl(ldaps) and
"TLSVerifyClient demand".

On the client side file /etc/openldap/ldap.conf contains the following:
TLS_CACERT /etc/ssl/servercert.ca.crt
TLS_CERT /etc/openldap/client.crt
TLS_KEY /etc/openldap/client.key

But samba and ldap-standard tools (eg ldapsearch) don't connect to
TLS trace: SSL3 alert read: fatal: handshake failure
TLS trace: SSL_connect: failed in SSLv3 read finished A
TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES:
sslv3 alert handshake failure.
ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)

If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use
variables $LDAP<uppercase option name>, then everything works fine.
I assume that options TLS_CERT and TLS_KEY aren't read from
/etc/openldap/ldap.conf. Correspondingly the server can not verify
client certificates.

From man ldap.conf:

      TLS_CERT <filename>
Specifies the file that contains the client certificate. *This is a user-only option.*

      TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of criti‐ cal importance that the key file is protected carefully. *This is a user-only option.*

User-only options may not be configured in a system-wide config file.