You probably don't want the server cert or key files in the ldap.conf file. Those entries are for client-side certificates. You should only need the CA cert. Suggest you Re-read the ldap.conf man page for TLS entries
\Greg
JOYDEEP wrote:
Greg Martin wrote:
JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand requires the the client have a valid certificate for authentication to the server. Have you configured ldap.conf with client certificate information?
This is not to be confused with the 'TLS_REQCERT demand' directive in the ldap.conf which can direct the client to require the server certificate to be valid
Thanks Greg,
here is the TLS part of my /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/myca/cacert.pem TLS_CERT /etc/openldap/myca/servercert.pem TLS_KEY /etc/openldap/myca/serverkey.pem TLS_REQCERT demand
So what to do to solve the problem ? thanks once again for your response.
\Greg
JOYDEEP wrote:
dear list,
I have no problem to execute the command ldapsearch -H ldaps:// -u "uid=anupam" -x
here is my TLS part of slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient never
Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand] and try to execute the same command * ldapsearch -H ldaps:// -u "uid=anupam" -x * it gives errors like
ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Could any one suggest the problem I have here and the solution please ?