Hi there!
I have openldap 2.4.21. I configured it with ssl(ldaps) and "TLSVerifyClient demand".
On the client side file /etc/openldap/ldap.conf contains the following: TLS_CACERT /etc/ssl/servercert.ca.crt TLS_CERT /etc/openldap/client.crt TLS_KEY /etc/openldap/client.key
But samba and ldap-standard tools (eg ldapsearch) don't connect to ldap-server: TLS trace: SSL3 alert read: fatal: handshake failure TLS trace: SSL_connect: failed in SSLv3 read finished A TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)
If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use variables $LDAP<uppercase option name>, then everything works fine. I assume that options TLS_CERT and TLS_KEY aren't read from /etc/openldap/ldap.conf. Correspondingly the server can not verify client certificates. But the manual says: "Thus the following files and variables are read, in order: variable $LDAPNOINIT, and if that is not set: system file /etc/openldap/ldap.conf, user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, system file $LDAPCONF, user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, variables $LDAP<uppercase option name>. Settings late in the list override earlier ones."
Could you explain me what wrong is?
Rogov Stepan wrote:
Hi there!
I have openldap 2.4.21. I configured it with ssl(ldaps) and "TLSVerifyClient demand".
On the client side file /etc/openldap/ldap.conf contains the following: TLS_CACERT /etc/ssl/servercert.ca.crt TLS_CERT /etc/openldap/client.crt TLS_KEY /etc/openldap/client.key
But samba and ldap-standard tools (eg ldapsearch) don't connect to ldap-server: TLS trace: SSL3 alert read: fatal: handshake failure TLS trace: SSL_connect: failed in SSLv3 read finished A TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)
If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use variables $LDAP<uppercase option name>, then everything works fine. I assume that options TLS_CERT and TLS_KEY aren't read from /etc/openldap/ldap.conf. Correspondingly the server can not verify client certificates.
From man ldap.conf:
TLS_CERT <filename> Specifies the file that contains the client certificate. *This is a user-only option.*
TLS_KEY <filename> Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of criti‐ cal importance that the key file is protected carefully. *This is a user-only option.*
User-only options may not be configured in a system-wide config file.
Rogov Stepan rogov@promo.ru writes:
Hi there!
I have openldap 2.4.21. I configured it with ssl(ldaps) and "TLSVerifyClient demand".
On the client side file /etc/openldap/ldap.conf contains the following: TLS_CACERT /etc/ssl/servercert.ca.crt TLS_CERT /etc/openldap/client.crt TLS_KEY /etc/openldap/client.key
But samba and ldap-standard tools (eg ldapsearch) don't connect to ldap-server: TLS trace: SSL3 alert read: fatal: handshake failure TLS trace: SSL_connect: failed in SSLv3 read finished A TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)
If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use variables $LDAP<uppercase option name>, then everything works fine. I assume that options TLS_CERT and TLS_KEY aren't read from /etc/openldap/ldap.conf. Correspondingly the server can not verify client certificates. But the manual says: "Thus the following files and variables are read, in order: variable $LDAPNOINIT, and if that is not set: system file /etc/openldap/ldap.conf, user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, system file $LDAPCONF, user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, variables $LDAP<uppercase option name>. Settings late in the list override earlier ones."
If you read ldap.conf(5) carefully you will read:
Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).
And it is logical that TLS_CERT and TLS_KEY are not global configuration parameters but only user specific parameters.
-Dieter
openldap-software@openldap.org
-
Bjørn Ruberg -
Dieter Kluenter -
Rogov Stepan