Greg Martin wrote:
JOYDEEP, if you are only trying to encrypt the traffic (and not guarantee who the client is), then you need your slapd.conf to look as it does but drop the 'TLSVERIFYCLIENT demand' line. That is not needed for encryption.
Dear Greg,
thanks a lot for the clarification. you have solved the TLS encryption thing. Regarding the certificate I am confused as I have seen different GUI application which only has the TLS enable option but no option to declare the certificate. More over in this case I have to distribute the user certificate to the users. That's why I have enabled the *disallow bind_anon* option in slapd.conf. So I think with *disallow bind_anon* and with TLS encryption the server and client communication is secured. Any how I like to here any suggestion about the client side certificate in case the remote client is using a GUI to access the LDAP addressbook or LDAP based email.
thanks for your great guidance.
The ldap.conf file only needs to refernce the CACERT, the cipher suite and TLS_REQCERT demand
Here are my slapd.conf & ldap.conf files. (Your file paths will vary) ldap.conf (edited to remove non-TLS directives) TLS_CACERT /var/data/ca/cacert.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLS_REQCERT demand
slapd.conf (edited to remove non-TLS directives) TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /var/data/ca/cacert.pem TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
Also, here is the line from my rc.slapd to start the daemon: /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h "ldap:/// ldaps:///"' This startup command has slapd listening on 389 & 636 for all configured IP addresses. this allows for both ldaps & TLS. If you only need TLS, you can drop " ldaps:///" from the line.
Finally, If you need client verification, I would get TLS working first then add the client cert requirements. But, I think you'll want a different cert for the client. Your config has the client & server using the same cert. They should only share the CACert.
\Greg
JOYDEEP wrote:
Greg Martin wrote:
Try adding a corres[ponding TLSCipherSuite entry to ldap.conf.
\Greg
Sorry for the late reply as I was busy in writing an article. any how I have followed the guidance as suggested
now the ldap.conf has become like
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACERT /etc/openldap/myca/cacert.pem TLS_CERT /etc/openldap/myca/servercert.pem TLS_KEY /etc/openldap/myca/serverkey.pem TLS_REQCERT allow
the slapd.conf is as before
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient demand
but still I have the same problem. like *ldapsearch -x -ZZ* reports
ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
and the log reports
Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from IP=127.0.0.1:33418 (IP=0.0.0.0:389) Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text= Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation failure)
*slapd -d 255* reports
TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(15): TLS accept failure error=-1 id=42, closing
so pleeeaseeee help me to solve it. thanks a lot for the great support so far...
JOYDEEP wrote:
Dear list,
Now *ldapsearch -x -ZZ* is working; but again I have a problem when demanding certificate from host. the error is
======================== ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure ======================================================================
Here is my slapd.conf section of TLS
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient demand
Here is my ldap.conf
TLS_CACERT /etc/openldap/myca/cacert.pem TLS_CERT /etc/openldap/myca/servercert.pem TLS_KEY /etc/openldap/myca/serverkey.pem TLS_REQCERT allow
please note I have a self signed certificate.
Thanks