[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient => no login possible

Dieter Kluenter schrieb:
> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>
>   
>> Hello,
>>
>> I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
>> the  TLS is activated. All clients are set to "TLS_REQCERT    demand"
>> and is working.
>> Then I created client certificates by using the servers Yast2 CA-
>> management. I copied teh client certificates and also the servers
>> "cacert" into the "/etc/openldap/" directory on client computer. With
>> "TLSVerifyClient allow" clients can login, but if I activate the
>> "TLSVerifyClient demand" option in servers slapd.conf no user can
>> perform an login and it causes errors in /var/log/messages:
>>     
> [...]
>
>   
>> What is wrong? The clients certificate "common name" is set to the
>> clients hostname. Is this ok?
>>     
>
> Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with
> debug level 3 to analyse the tls session.
>
> -Dieter
>
>   
Hello Dieter,

Now I have set the loglevel to "3" and I get the following output if I
try to login (still fails):
-------------------/var/log/messages---------------------------------------------------------------------
Feb 25 16:41:49 lmvserver slapd[11737]: slap_listener_activate(8):
Feb 25 16:41:49 lmvserver slapd[11737]: >>> slap_listener(ldap://)
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=0
Feb 25 16:41:49 lmvserver slapd[11737]: conn=0 op=0 do_extended
Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_extended: err=0 oid= len=0
Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_response: msgid=1
tag=120 err=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): TLS accept
failure error=-1 id=0, closing
Feb 25 16:41:49 lmvserver slapd[11737]: connection_closing: readying
conn=0 sd=13 for close
Feb 25 16:41:49 lmvserver slapd[11737]: connection_close: conn=0 sd=13
Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
LDAP server - Server is unavailable
Feb 25 16:41:49 lmvserver slapd[11737]: slap_listener_activate(8):
Feb 25 16:41:49 lmvserver slapd[11737]: >>> slap_listener(ldap://)
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=1
Feb 25 16:41:49 lmvserver slapd[11737]: conn=1 op=0 do_extended
Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_extended: err=0 oid= len=0
Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_response: msgid=1
tag=120 err=0
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=1
Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking
for input on id=1
Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): TLS accept
failure error=-1 id=1, closing
Feb 25 16:41:49 lmvserver slapd[11737]: connection_closing: readying
conn=1 sd=13 for close
Feb 25 16:41:49 lmvserver slapd[11737]: connection_close: conn=1 sd=13
Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
Connect error
-------------------/var/log/messages---------------------------------------------------------------------

I am not sure, if this is an configuration or certificate error? Do You
understand this output above?

-- 
Mit freundlichen GrÃÃen

Sebastian Reinhardt