On 8/23/07, Frank Cornelissen frankc@t310.org wrote:
On Aug 15, 2007, at 9:00 AM, Frank Cornelissen wrote:
Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -xI get the following error from slapd (started with -d 8):
TLS: can't accept. TLS: error:140890C7:SSLroutines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455
<snip>
After some debugging, this seems to be caused by the fact that on this machine libnss-ldap is enabled. This library will be loaded and will set some libldap options which seem to be global and thus interfering with the options from slapd. Anybody got an idea how to solve this, apart from setting up a seperate machine for openldap|?
I haven't looked at this specific issue, but other issues relating to using ldap-enabled software on a host using nss_ldap could be worked around by using nscd. However, the problems I've seen were fixed in the latest release of nss_ldap (257). Versions affected were at least 254-256, but it may depend on the ssl library (and version).
More details would help ... (if this hasn't been resolved yet).