Re: openldap client cert validation

[Howard Chu <hyc@symas.com>]

Matwey V. Kornilov wrote:
> After inspecting source code I've just found that TLS_KEY and TLS_CERT
> are ignored if located in /etc/openldap/ldap.conf.
> Why does it not written in man ldap.conf(5) explicitly?

The ldap.conf(5) manpage says clearly "This is a user-only option."

> I've spent two days of my precious life to dig it out.

Yes, not reading carefully is a sure way to waste time.

> Now it works.
>
> 2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov <matwey.kornilov@gmail.com>:
> > Hello,
> >
> > I am running openldap 2.4.41 and I've failed to setup client certificate
> > validation. TLS works well until olcTLSVerifyClient is set to demand.
> > Then I see
> >
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >
> > at client side.
> > And
> >
> > connection_read(11): TLS accept failure error=-1 id=1021, closing
> >
> > at the serveri side.
> > So, I've configured /etc/openldap/ldap.conf as the following to provide
> > client TLS certificate paths:
> >
> > TLS_CACERT /path/to/myroot.pem
> > TLS_CACERTDIR /var/lib/ca-certificates/pem/
> > TLS_CERT /path/to/my.crt
> > TLS_KEY /path/to/my.key
> >
> > However, when I run openssl s_server -Verify 0 -accept 636 ...
> > I see the following:
> >
> > ERROR
> > 140680155473552:error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> > certificate:s3_srvr.c:3309:
> > shutting down SSL
> > CONNECTION CLOSED
> > ACCEPT
> >
> > So, this means that ldapsearch doesn't sent out its client certificate.
> > I've also checked with strace tool that it even doesn't access
> > certificate file.
> >
> > So, I am little stuck here. I understand that I am doing something
> > wrong, but I cannot figure out what.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/