Am Thu, 17 Jul 2014 10:03:19 +0200 schrieb Olivier <[email protected]>:
> Hi, > > I use TLS for ldap clients to authentify the ldap server. I've > created a self > signed CA as well as the server certificate with openssl. The CA is > known on the client side (aka : TLS_CACERT in ldap.conf). > > Since I'm using multimaster mode, I also have been able to tell the > servers to authenticate between them for synchronisation > (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl) > > --> Ok : all this works fine for me. > > I now try to bind openldap using a user certificate ( with a subject > apporiately > matching the user ldap entry, and signed with with the same CA that > is also known by the server (aka: olcTLSCACertificateFile) ). > > I have told the server to attempt to verify the client > (olcTLSVerifyClient: try) and > I have declared my user certificate files in my ~/.ldaprc : > > TLS_CERT /home/olivier/certs/my.crt > TLS_KEY /home/olivier/certs/my.key > > Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y > external) > > Where am I wrong ? > > Note : > > On the server side, I don't manage to see the TLS transactions in the > logs, is > there any loglevel one would could recommend ? > > On the client side, I don't see my certicates to be red by ldapsearch > (aka : ldapsearch -d1). > > Any help ? At least, it works for me, ldapwhoami -Y EXTERNAL -ZZ -H ldap://<my.host> SASL/EXTERNAL authentication started SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE SASL SSF: 0 dn:cn=dieter kluenter,ou=partner,o=avci,c=de You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc Otherwise run slapd in debug level 3. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
