[Date Prev][Date Next] [Chronological] [Thread] [Top]

[SOLVED] Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read



Hi everybody,

thank you all for your immediate replies.

As you correctly pointed out, the options I used were wrong.
With following ldap.conf, everything works out fine.

  base dc=...
  URI ldaps://<fqdn of ldap server>/
  ldap_version 3
  rootbinddn cn=...
  bind_policy soft
  pam_password md5

  TLS_REQCERT yes
  TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt

The ldap.conf I used before has been created by dpkg-reconfigure
and I simply changed the default values there. That was a mistake ;-)
Creating a new ldap.conf from scratch with a man-page at hand
obviously did the trick.

Thank you very much for your help,

Best regards,

Hauke

-- 



----- UrsprÃngliche Mail -----
Von: "Howard Chu" <hyc@symas.com>
An: "Hauke Coltzau" <hauke.coltzau@FernUni-Hagen.de>
CC: "openldap-technical" <openldap-technical@openldap.org>
Gesendet: Mittwoch, 27. August 2008 20:37:44 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read

Hauke Coltzau wrote:
> Hello everybody,
>
> I'm just trying to set up a LDAPS server using my own
> certification authority, but the ldap server does not
> accept/understand my client certificate. Instead, the server
> sais:
>
>     TLS: can't accept: The peer did not send any certificate..

> Here are the details:
>
> Client:
> =======
>
> # ldapsearch -x -LLL -ZZ -d 1
>
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP<serverip>:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying<serverip>:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: can't connect: A TLS packet with unexpected length was received..
> ldap_err2string
> ldap_start_tls: Can't contact LDAP server (-1)
>
>
> Server:
> ========
>
> # slapd -VV
>    @(#) $OpenLDAP: slapd 2.4.9 (Aug  1 2008 01:09:46) $
>          buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
>
>
> # slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127

You cannot use StartTLS (ldapsearch -Z) with an ldaps:// server, it's redundant.

> ldap.conf (partially)
> ---------------------
>
> uri ldaps://132.176.4.6/

> ssl yes
> tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
> tls_ciphers TLSv1

The above 3 keywords are not valid for ldap.conf. Read the ldap.conf(5) manpage.

> tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
> tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem

> What did I do wrong?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

-- 
------------------------------------
      FernuniversitÃt in Hagen
   Lehrgebiet Kommunikationsnetze
   http://www.fernuni-hagen.de/kn

 Fon/Fax: +49 2331 987 -1142 / -353
------------------------------------