Greg Martin wrote: > JOYDEEP, if you are only trying to encrypt the traffic (and not > guarantee who the client is), then you need your slapd.conf to look as > it does but drop the 'TLSVERIFYCLIENT demand' line. That is not > needed for encryption. >
Dear Greg, thanks a lot for the clarification. you have solved the TLS encryption thing. Regarding the certificate I am confused as I have seen different GUI application which only has the TLS enable option but no option to declare the certificate. More over in this case I have to distribute the user certificate to the users. That's why I have enabled the *disallow bind_anon* option in slapd.conf. So I think with *disallow bind_anon* and with TLS encryption the server and client communication is secured. Any how I like to here any suggestion about the client side certificate in case the remote client is using a GUI to access the LDAP addressbook or LDAP based email. thanks for your great guidance. > The ldap.conf file only needs to refernce the CACERT, the cipher suite > and TLS_REQCERT demand > > Here are my slapd.conf & ldap.conf files. (Your file paths will vary) > ldap.conf (edited to remove non-TLS directives) > TLS_CACERT /var/data/ca/cacert.pem > TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP > TLS_REQCERT demand > -------------- > slapd.conf (edited to remove non-TLS directives) > TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP > TLSCACertificateFile /var/data/ca/cacert.pem > TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem > TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt > TLSVerifyClient never > ------- > Also, here is the line from my rc.slapd to start the daemon: > /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h > "ldap:/// ldaps:///"' > This startup command has slapd listening on 389 & 636 for all > configured IP addresses. this allows for both ldaps & TLS. If you > only need TLS, you can drop " ldaps:///" from the line. > > Finally, > If you need client verification, I would get TLS working first then > add the client cert requirements. But, I think you'll want a > different cert for the client. Your config has the client & server > using the same cert. They should only share the CACert. > > \\Greg > > > > > > > JOYDEEP wrote: >> Greg Martin wrote: >> >>> Try adding a corres[ponding TLSCipherSuite entry to ldap.conf. >>> >>> \\Greg >>> >>> >> >> >> Sorry for the late reply as I was busy in writing an article. >> any how I have followed the guidance as suggested >> >> now the ldap.conf has become like >> ---------------------------------------------- >> TLSCipherSuite HIGH:MEDIUM:+SSLv2 >> TLS_CACERT /etc/openldap/myca/cacert.pem >> TLS_CERT /etc/openldap/myca/servercert.pem >> TLS_KEY /etc/openldap/myca/serverkey.pem >> TLS_REQCERT allow >> --------------------------------------------------- >> >> the slapd.conf is as before >> ----------------------------------------------- >> TLSCipherSuite HIGH:MEDIUM:+SSLv2 >> TLSCertificateFile /etc/openldap/myca/servercert.pem >> TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem >> TLSCACertificateFile /etc/openldap/myca/cacert.pem >> TLSVerifyClient demand >> ---------------------------------------------------- >> >> but still I have the same problem. like *ldapsearch -x -ZZ* reports >> >> ------------------------------------------ >> ldap_start_tls: Connect error (-11) >> additional info: error:14094410:SSL >> routines:SSL3_READ_BYTES:sslv3 alert handshake failure >> -------------------------------------------- >> >> and the log reports >> -------------------------------------------------------------------------------- >> >> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from >> IP=127.0.0.1:33418 (IP=0.0.0.0:389) >> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS >> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text= >> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation >> failure) >> ---------------------------------------------------------------------------------------- >> >> >> *slapd -d 255* reports >> ------------------------------------------- >> TLS trace: SSL_accept:error in SSLv3 read client certificate B >> TLS: can't accept. >> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did >> not return a certificate s3_srvr.c:2471 >> connection_read(15): TLS accept failure error=-1 id=42, closing >> --------------------------- >> >> so pleeeaseeee help me to solve it. >> thanks a lot for the great support so far... >> >> >> >> >>> JOYDEEP wrote: >>> >>>> Dear list, >>>> >>>> Now *ldapsearch -x -ZZ* is working; but again I have a problem when >>>> demanding certificate from host. the error is >>>> >>>> ======================== >>>> ldap_perror >>>> ldap_start_tls: Connect error (-11) >>>> additional info: error:14094410:SSL >>>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure >>>> ====================================================================== >>>> >>>> Here is my slapd.conf section of TLS >>>> ----------------------------------------------- >>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2 >>>> TLSCertificateFile /etc/openldap/myca/servercert.pem >>>> TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem >>>> TLSCACertificateFile /etc/openldap/myca/cacert.pem >>>> TLSVerifyClient demand >>>> ---------------------------------------------------- >>>> >>>> Here is my ldap.conf >>>> ------------------------------------------------ >>>> TLS_CACERT /etc/openldap/myca/cacert.pem >>>> TLS_CERT /etc/openldap/myca/servercert.pem >>>> TLS_KEY /etc/openldap/myca/serverkey.pem >>>> TLS_REQCERT allow >>>> --------------------------------------------------------- >>>> >>>> please note I have a self signed certificate. >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>>> >>>> >>> >> >> >> >> > >
