[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient => no login possible

Hello Sebastian,

Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:

> Dieter Kluenter schrieb:
>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>> Hello,
>>> I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
>>> the  TLS is activated. All clients are set to "TLS_REQCERT    demand"
>>> and is working.
>>> Then I created client certificates by using the servers Yast2 CA-
>>> management. I copied teh client certificates and also the servers
>>> "cacert" into the "/etc/openldap/" directory on client computer. With
>>> "TLSVerifyClient allow" clients can login, but if I activate the
>>> "TLSVerifyClient demand" option in servers slapd.conf no user can
>>> perform an login and it causes errors in /var/log/messages:
>> [...]
>>> What is wrong? The clients certificate "common name" is set to the
>>> clients hostname. Is this ok?
>> Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with
>> debug level 3 to analyse the tls session.
>> -Dieter
> Hello Dieter,
> Now I have set the loglevel to "3" and I get the following output if I
> try to login (still fails):

loglevel is != debug level, man slapd(8), run slapd -d3
> -------------------/var/log/messages---------------------------------------------------------------------

> Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
> LDAP server - Server is unavailable

> Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
> Connect error
> -------------------/var/log/messages---------------------------------------------------------------------
> I am not sure, if this is an configuration or certificate error? Do You
> understand this output above?

The clients are nss_ldap and pam_ldap, check the clients
configuration for starttls parameters.
With debug level 3 you should see something like

TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1931, written=1931
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert write:warning:close notify


Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535