[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read



Hauke Coltzau wrote:
Hello everybody,

I'm just trying to set up a LDAPS server using my own
certification authority, but the ldap server does not
accept/understand my client certificate. Instead, the server
sais:

TLS: can't accept: The peer did not send any certificate..

Here are the details:

Client:
=======

# ldapsearch -x -LLL -ZZ -d 1

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP<serverip>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying<serverip>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)


Server: ========

# slapd -VV
   @(#) $OpenLDAP: slapd 2.4.9 (Aug  1 2008 01:09:46) $
         buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd


# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127

You cannot use StartTLS (ldapsearch -Z) with an ldaps:// server, it's redundant.

ldap.conf (partially)
---------------------

uri ldaps://132.176.4.6/

ssl yes
tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
tls_ciphers TLSv1

The above 3 keywords are not valid for ldap.conf. Read the ldap.conf(5) manpage.

tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem

What did I do wrong?

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/