[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind with user cert in ~/.ldaprc ?



Am Thu, 17 Jul 2014 10:03:19 +0200
schrieb Olivier <ldap@guillard.nom.fr>:

> Hi,
> 
> I use TLS for ldap clients to authentify the ldap server.  I've
> created a self
> signed CA as well as the server certificate with openssl. The CA is
> known on the client side (aka : TLS_CACERT in ldap.conf).
> 
> Since I'm using multimaster mode, I also have been able to tell the
> servers to authenticate between them for synchronisation
> (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl)
> 
> --> Ok : all this works fine for me.
> 
> I now try to bind openldap using a user certificate ( with a subject
> apporiately
> matching the user ldap entry, and signed with with the same CA that
> is also known by the server (aka: olcTLSCACertificateFile) ).
> 
> I have told the server to attempt to verify the client
> (olcTLSVerifyClient: try) and
> I have declared my user certificate files in my ~/.ldaprc :
> 
> TLS_CERT /home/olivier/certs/my.crt
> TLS_KEY /home/olivier/certs/my.key
> 
> Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y
> external)
> 
> Where am I wrong ?
> 
> Note :
> 
> On the server side, I don't manage to see the TLS transactions in the
> logs, is
> there any loglevel one would could recommend ?
> 
> On the client side, I don't see my certicates to be red by ldapsearch
> (aka : ldapsearch -d1).
> 
> Any help ?

At least, it works for me,
ldapwhoami -Y EXTERNAL -ZZ -H ldap://<my.host>
SASL/EXTERNAL authentication started
SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc
Otherwise run slapd in debug level 3.

-Dieter

 



-- 
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E