It works now ! TLS_CA CERT was in ldap.conf so that was not the problem : it was a shadow caracter hidden in the CERT filename path.
Stupid really :-( Thanks for your response ! I take the best to ask this : do you have any advice or suggestion of readings for production deployement ( aka : do you think that could consider to generalize this method for my user to authenticate ?) By "users" I mean internal users to access to internal ressources includings shells on boxes, and also external users to access to a webapp that we offer to them. Thanks again, --- Olivier 2014-07-17 10:44 GMT+02:00 Dieter Klünter <[email protected]>: > Am Thu, 17 Jul 2014 10:03:19 +0200 > schrieb Olivier <[email protected]>: > > > Hi, > > > > I use TLS for ldap clients to authentify the ldap server. I've > > created a self > > signed CA as well as the server certificate with openssl. The CA is > > known on the client side (aka : TLS_CACERT in ldap.conf). > > > > Since I'm using multimaster mode, I also have been able to tell the > > servers to authenticate between them for synchronisation > > (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl) > > > > --> Ok : all this works fine for me. > > > > I now try to bind openldap using a user certificate ( with a subject > > apporiately > > matching the user ldap entry, and signed with with the same CA that > > is also known by the server (aka: olcTLSCACertificateFile) ). > > > > I have told the server to attempt to verify the client > > (olcTLSVerifyClient: try) and > > I have declared my user certificate files in my ~/.ldaprc : > > > > TLS_CERT /home/olivier/certs/my.crt > > TLS_KEY /home/olivier/certs/my.key > > > > Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y > > external) > > > > Where am I wrong ? > > > > Note : > > > > On the server side, I don't manage to see the TLS transactions in the > > logs, is > > there any loglevel one would could recommend ? > > > > On the client side, I don't see my certicates to be red by ldapsearch > > (aka : ldapsearch -d1). > > > > Any help ? > > At least, it works for me, > ldapwhoami -Y EXTERNAL -ZZ -H ldap://<my.host> > SASL/EXTERNAL authentication started > SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE > SASL SSF: 0 > dn:cn=dieter kluenter,ou=partner,o=avci,c=de > > You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc > Otherwise run slapd in debug level 3. > > -Dieter > > > > > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E > >
