On Mar 8, 2014, at 08.50, Joshua Schaeffer <jschaeffer0922@gmail.com> wrote:
I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:
please use ldap+starttls, not ldaps.
This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:
why are you setting olcTLSVerifyClient when changing from a self signed cert to a properly signed cert? did you read the description of this setting in man 5 slapd-config? it has nothing to do with use of a self-signed vs a regular cert. be methodical when doing an exercise like this. first switch from your self signed cert to your proper cert. test. then, modify olcTLSVerifyClient and see what happens.
Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert?
TLS_CACERT and tls_cacertfile point to the ca cert. why would this cert be sent anywhere by the client? the server already has this cert. those settings allow the client to establish a chain of trust to the certificate presented by the server. it’s a “bootstrapping” mechanism, so to speak. you tell the client [by way of those settings] to implicitly trust, no questions asked, certain ca certificates. then when the client is presented a certificate by a server, it can be deemed “trustworthy”, even though it had no prior knowledge of this particular cert.
-ben