[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open LDAP + TLS/SSL bind Failed.



Thank you very much Buchan.

I have changed the certificate creation method. Now I created the certificates using CA.sh of openssl.
I followed the instruction given in the below link to create the certificates.

http://octaldream.com/~scottm/talks/ssl/opensslca.html

1. At the server side now i am able to do ldapsearch and ldapadd, as i have chenged the /usr/local/etc/openldap/ldap.conf on server to remove IP address. I have made necessary changes in /etc/hosts file also.

BASE    dc=samsung,dc=com
URI     ldaps://localhost.localdomain/
TLS_CACERT      /etc/pki/CA/cacert.pem
TLS_CACERTDIR   /etc/pki/CA/

2.slapd.conf details for TLS are as follows

TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath    /etc/pki/CA/
TLSCACertificateFile    /etc/pki/CA/cacert.pem
TLSCertificateFile      /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile   /etc/pki/tls/misc/newkey.pem
TLSVerifyClient         allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile  /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description


When the "TLSVerifyClient  allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient  demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)

please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,
Vijay S.


Treat yourself at a restaurant, spa, resort and much more with Rediff Deal ho jaye!