[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient => no login possible



"Dieter Kluenter" <dieter@dkluenter.de> writes:

> Hello,
>
> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>
>> Dieter Kluenter schrieb:
>>> Hello Sebastian,
>>>
>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>
>>>   
>>>> Dieter Kluenter schrieb:
>>>>     
>>>>> Hello Sebastian,
>>>>>
>>>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>>>
>>>>>   
>>>>>       
>>>>>> Dieter Kluenter schrieb:
>>>>>>     
>>>>>>         
>>>>>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
> [...]
>>
>> As I tried to perform "ldapsearch" with TLS enabled I got some output
>> about "version trouble" of openldap server and client libraries. But now
>> I solved this problem and I have configured "pam_ldap" again.
>> The login with "TLSVerifyClient demand" (enabled in slapd.conf) works,
>> but not with "tls_checkpeer  yes" in "/etc/ldap.conf". If 
>> "tls_checkpeer" is "yes", the login is not possible (output:
>> "Permissions on the password database may be too restrictive").
>>
>> The "strace -o /tmp/ldapsearch.txt ldapsearch -d 1 -x -ZZ -h
>> 192.168.0.201 "(uid=*)" " is creating command line output:
> [...]
>
>> For strace output take a look at the attached file, please.
>> I think that server and client do not comunicate via TLS, or do they?
>> And why can I login, but not search (with "tls_checkpeer no")?
>
> Please check the output of
> openssl x509 -in <server-key> -text | grep Subject

sorry, that should read
openssl x509 -in <server-certificate> -text | grep Subject
>
> compare the CN value of Subject with your -h value of ldapsearch and
> the host configuration in /etc/ldap.conf

-Ddieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E