[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client cert validation

To: openldap-technical@openldap.org
Subject: Re: openldap client cert validation
From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>
Date: Sat, 6 Aug 2016 19:14:37 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=98eJi7wO7Ma2Gfw8rZ6wuGRC3cqvrwAzmnIklzs+3Eg=; b=iujELWbTDvv4V6szBS+BcuIOIwTK+WYW7HSDujyGMxq13+slhU0cbLsFz3bi8pxZUp ZrAG1IqHM3mMNFLHTInsMusgK4XYmYCFn6ZujNIL3ngHVzJ19eht4th7V7j8gkFa15QW ZNXV9th3bZa3pQfzZ5XHEWDi/1oUKV7GxdCetEkSZ8sXDMc0dizUBBqKy+nwbjWBTQGR DLf1up1yuGhKF0KhbMOeGp0GuOsZFLkIQY2FrtQaWmeFmQQA96XSjqTJPzlbDL9v1hEj 9uqJud7t2+f413qBvKCotc3i2CiWNfT8JRaCNx6h39gkp+Own65pm8CdybZWP9uT0KfL FDhQ==
In-reply-to: <CAJs94EaLpfd5gH-Qgtde9Z_rsC6MX9ON5m2M0ptUcCEGcxK9Hg@mail.gmail.com>
References: <CAJs94EaLpfd5gH-Qgtde9Z_rsC6MX9ON5m2M0ptUcCEGcxK9Hg@mail.gmail.com>

After inspecting source code I've just found that TLS_KEY and TLS_CERT
are ignored if located in /etc/openldap/ldap.conf.
Why does it not written in man ldap.conf(5) explicitly? I've spent two
days of my precious life to dig it out.
Now it works.

2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov <matwey.kornilov@gmail.com>:
> Hello,
>
> I am running openldap 2.4.41 and I've failed to setup client certificate
> validation. TLS works well until olcTLSVerifyClient is set to demand.
> Then I see
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> at client side.
> And
>
> connection_read(11): TLS accept failure error=-1 id=1021, closing
>
> at the serveri side.
> So, I've configured /etc/openldap/ldap.conf as the following to provide
> client TLS certificate paths:
>
> TLS_CACERT /path/to/myroot.pem
> TLS_CACERTDIR /var/lib/ca-certificates/pem/
> TLS_CERT /path/to/my.crt
> TLS_KEY /path/to/my.key
>
> However, when I run openssl s_server -Verify 0 -accept 636 ...
> I see the following:
>
> ERROR
> 140680155473552:error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> certificate:s3_srvr.c:3309:
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT
>
> So, this means that ldapsearch doesn't sent out its client certificate.
> I've also checked with strace tool that it even doesn't access
> certificate file.
>
> So, I am little stuck here. I understand that I am doing something
> wrong, but I cannot figure out what.



-- 
With best regards,
Matwey V. Kornilov
http://blog.matwey.name
xmpp://0x2207@jabber.ru

Follow-Ups:
- Re: openldap client cert validation
  - From: btb@bitrate.net
- Re: openldap client cert validation
  - From: Ryan Tandy <ryan@nardis.ca>

References:
- openldap client cert validation
  - From: "Matwey V. Kornilov" <matwey.kornilov@gmail.com>

Prev by Date: Re: How do I allow root to edit mdb database? [SOLVED]
Next by Date: Re: openldap client cert validation
Index(es):
- Chronological
- Thread