c0re <[email protected]> writes: > Hello everyone! [...] > So I add to slapd.conf > > TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem > TLSCACertificateFile /usr/local/etc/openldap/ssl/rootcrt.pem > > In nss_ldap and ldap.conf I add folowing: > > ssl start_tls > tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem > > I start slapd with debugging: [...] > And slapd debug: > > > slap_listener_activate(7): >>>> slap_listener(ldap:///) [...] > TLS trace: SSL_accept:before/accept initialization > TLS trace: SSL_accept:SSLv3 read client hello A > TLS trace: SSL_accept:SSLv3 write server hello A > TLS trace: SSL_accept:SSLv3 write certificate A > TLS trace: SSL_accept:SSLv3 write server done A > TLS trace: SSL_accept:SSLv3 flush data > TLS trace: SSL_accept:error in SSLv3 read client certificate A > TLS trace: SSL_accept:error in SSLv3 read client certificate A > connection_get(11): got connid=1000 > connection_read(11): checking for input on id=1000 > TLS trace: SSL_accept:SSLv3 read client key exchange A > TLS trace: SSL_accept:SSLv3 read finished A > TLS trace: SSL_accept:SSLv3 write change cipher spec A > TLS trace: SSL_accept:SSLv3 write finished A > TLS trace: SSL_accept:SSLv3 flush data > connection_read(11): unable to get TLS client DN, error=49 id=1000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You probably have configured slapd to require client verification, but the client doesn't provide a valid certificate.
[...] -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
