After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly? I've spent two days of my precious life to dig it out. Now it works.
2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov <[email protected]>: > Hello, > > I am running openldap 2.4.41 and I've failed to setup client certificate > validation. TLS works well until olcTLSVerifyClient is set to demand. > Then I see > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > at client side. > And > > connection_read(11): TLS accept failure error=-1 id=1021, closing > > at the serveri side. > So, I've configured /etc/openldap/ldap.conf as the following to provide > client TLS certificate paths: > > TLS_CACERT /path/to/myroot.pem > TLS_CACERTDIR /var/lib/ca-certificates/pem/ > TLS_CERT /path/to/my.crt > TLS_KEY /path/to/my.key > > However, when I run openssl s_server -Verify 0 -accept 636 ... > I see the following: > > ERROR > 140680155473552:error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a > certificate:s3_srvr.c:3309: > shutting down SSL > CONNECTION CLOSED > ACCEPT > > So, this means that ldapsearch doesn't sent out its client certificate. > I've also checked with strace tool that it even doesn't access > certificate file. > > So, I am little stuck here. I understand that I am doing something > wrong, but I cannot figure out what. -- With best regards, Matwey V. Kornilov http://blog.matwey.name xmpp://[email protected]
