On Aug 25, 2007, at 2:49 PM, Howard Chu wrote:
Frank Cornelissen wrote:
Hello all, why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise). when connexting with ssl to slapd using ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x I get the following error from slapd (started with -d 8): TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455 When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly. This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field: TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt relevant parts from slapd.conf (included in total at the end of message): TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem TLSCACerticateFile /usr/share/ca-certificates/t310/ t310_pem.crt #TLSVerifyClient never #TLSCRLCheck none
Uncomment the "TLSVerifyClient never" directive here to work around this problem.
No, that didn't work. The problem is a bad interaction with libnss_ldap and slapd, that share the same ldap connection context (same process). libnss-ldap does (rightfully) want to check the certificate of the server, and sets this option when it is activated. That happens after the slapd.conf is read. My solution for now is to run slapd in a chroot jail which does not reference nss-ldap, so this problem does not occur.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Frank Cornelissen