Hi Joshua, You should look at TLS_CERT and TLS_KEY, which are specific for the client certificate. The TLS_CACERT is related to server certificate.
Regards, Italo. On Sat, Mar 8, 2014 at 10:50 AM, Joshua Schaeffer <[email protected]>wrote: > I'm in the process of setting up my slapd server to operate over LDAPS > and having trouble when using a CA certificate (being my own certificate > authority). I've been able to setup LDAPS when using a self-signed > server certificate: > > root@baneling:~# slapcat -H ldap:///cn=config??base > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 0e827846-3926-1033-9f74-632898b715c9 > creatorsName: cn=config > createTimestamp: 20140306025210Z > olcTLSCertificateFile: /etc/ssl/certs/ldap.harmonywave.com.crt > olcTLSCertificateKeyFile: /etc/ssl/private/ldap.harmonywave.com.key > olcTLSCipherSuite: SECURE256 > olcTLSVerifyClient: never > entryCSN: 20140308131751.026022Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20140308131751Z > > This works fine and I'm able to authenticate clients. However if I use a > CA certificate (again, being my own CA) to sign my server certificate and > then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile > then I can no longer authenticate. I've installed my CA certificate on > the client machine and pointed both ldap.conf and nslcd.conf to the CA > certificate. However I get the following when debugging: > > root@baneling:~# slapd -d conns -h ldaps:/// > 531b1cef @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ > root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd > 531b1cf0 slapd starting > 531b1cf0 daemon: added 3r listener=(nil) > 531b1cf0 daemon: added 6r listener=0x7fe2d98326e0 > 531b1cf0 daemon: added 7r listener=0x7fe2d98327c0 > 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf0 daemon: activity on 1 descriptor > 531b1cf0 daemon: activity on:531b1cf0 > 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 > 531b1cf4 daemon: epoll: listen=6 busy > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 > 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: listen=6, new connection on 12 > 531b1cf4 daemon: added 12r (active) listener=(nil) > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 > 531b1cf4 daemon: read active on 12 > 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 > 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 > 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 > 531b1cf4 daemon: read active on 12 > 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero > 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero > TLS: can't accept: The peer did not send any certificate.. > 531b1cf4 connection_closing: readying conn=1000 sd=12 for close > 531b1cf4 daemon: removing 12 > 531b1cf4 daemon: activity on 1 descriptor > 531b1cf4 daemon: activity on:531b1cf4 > > Why would the client not send the certificate if I've pointed TLS_CACERT > in ldap.conf and tls_cacertfile to that cert? Maybe I'm misunderstanding > the basic concepts here, I am pretty new to a lot of this. I'm using > OpenLDAP 2.4.31, Debian 7, and GnuTLS. Yes, I'm aware of its recent critical > security bug and the warnings against it from this group ( > http://www.openldap.org/lists/openldap-devel/200802/msg00072.html). > > Thanks, > Joshua > -- Saudações, Italo Valcy :: http://wiki.dcc.ufba.br/Main/ItaloValcy
