[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP with ssl client certs

I was recently asked if we could use ssl client certs as a 2nd form of authentication with OpenLDAP and didn't know for sure. Is it possible to have OpenLDAP require both a DN/password pair *and* a client ssl cert?

Just to see if I could make any form of client cert authentication work, I took a test-bed instance of OpenLDAP and added this line to slapd.conf:
TLSVerifyClient allow

Then I created a self-signed ssl cert, converted it to a .der binary file, then added it to an LDAP record's userCertificate attribute with this:

dn: <my-dn>
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///tmp/ldapclient.bin

Then I found my ldap client of choice doesn't seem to have an option to authenticate via client certs, and didn't see any command line options for ldapsearch for specifying a client ssl cert/key pair. So I edited ~/.ldaprc and added:

BINDDN <my-dn>
TLS_CERT /tmp/ldapclient.crt
TLS_KEY /tmp/ldapclient.key

But when I run ldapsearch -x with no -D and -W options, it's clearly still just binding anonymously. When I run ldapsearch -x with a -D and no -W option it says I can't bind without a password. :-) So... I'm clearly missing something here.

How do I get ldapsearch to try to authenticate with the SSL cert? Or is it possibly trying but failing because slapd can't validate the self-signed client cert I made? It's definitely finding and using my .ldaprc file because I can change BASE, PORT, and HOST settings in there and don't have to specify 'em on the command line afterwards, but as near as I can tell it's not using the client cert.