Hello,
i have a problem with connecting Solaris10 native LDAP Client to a
openLDAP Server (slapd 2.4.11) with TLS.
The replication from Server ldap01 to ldap02 works fine with
TLS, so i think that the problem must be on client site
(Solaris 10 native LDAP Client - latest Patchset).
Without TLS it works.
Maybe someone can give me a hint -
-(slapd - debug)---
>>> slap_listener(ldaps:///)
connection_get(11): got connid=207
connection_read(11): checking for input on id=207
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=207
connection_read(11): checking for input on id=207
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
connection_read(11): TLS accept failure error=-1 id=207, closing
connection_closing: readying conn=207 sd=11 for close
connection_close: conn=207 sd=11
-( slapd.conf - tls part)---
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /opt/openldap/var/openldap-data/ca-cert.pem
TLSCertificateFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch.pem
TLSCertificateKeyFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch
TLSVerifyClient never
-( solaris 10 - client )----
# import the ca-cert
certutil -N -d /var/ldap
certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/
# import ldap-server certs
certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem
certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem
# list cert-db
certutil -L -d /var/ldap
ca-cert CT,,
ldap02.kleinfeld.ch C,,
ldap01.kleinfeld.ch C,,
# initialize ldap-client
ldapclient manual -v \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch \
-a proxyPassword=xxxxxxxxxxxx \
-a defaultsearchbase=ou=unix,o=kleinfeld,c=ch \
-a defaultServerList="ldap01.kleinfeld.ch ldap02.kleinfeld.ch" \
-a certificatePath=/var/ldap \
-a domainName=kleinfeld.ch \
-a attributeMap=passwd:gecos=cn \
-a objectClassMap=group:posixGroup=posixGroup \
-a objectClassMap=passwd:posixAccount=posixAccount \
-a objectClassMap=shadow:shadowAccount=shadowAccount \
-a serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one \
-a serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one \
-a serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one
# output from ldapclient
Parsing credentialLevel=proxy
Parsing authenticationMethod=tls:simple
Parsing serviceAuthenticationMethod=pam_ldap:tls:simple
Parsing proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch
Parsing proxyPassword=UnIXpRoXY
Parsing defaultsearchbase=ou=unix,o=kleinfeld,c=ch
Parsing defaultServerList=ldap01.kleinfeld.ch
Parsing certificatePath=/var/ldap
Parsing domainName=kleinfeld.ch
Parsing attributeMap=passwd:gecos=cn
Parsing objectClassMap=group:posixGroup=posixGroup
Parsing objectClassMap=passwd:posixAccount=posixAccount
Parsing objectClassMap=shadow:shadowAccount=shadowAccount
Parsing serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one
Parsing serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one
Parsing serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one
Arguments parsed:
Handling manual option
Proxy DN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch
Proxy password: {NS1}xxxxxxxxxxxxxxxxxxxxx
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "kleinfeld.ch"
file_backup: stat(/var/yp/binding/kleinfeld.ch)=-1
file_backup: No /var/yp/binding/kleinfeld.ch directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname kleinfeld.ch... success
start: sleep 100000 microseconds
start: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured
authenticationMethod: tls:simple
serviceAuthenticationMethod:
arg[0]: pam_ldap:tls:simple
defaultSearchBase: ou=unix,o=kleinfeld,c=ch
credentialLevel: proxy
domainName: kleinfeld.ch
proxyDN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch
objectclassMap:
arg[0]: group:posixGroup=posixGroup
arg[1]: passwd:posixAccount=posixAccount
arg[2]: shadow:shadowAccount=shadowAccount
attributeMap:
arg[0]: passwd:gecos=cn
serviceSearchDescriptor:
arg[0]: passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one
arg[1]: group:ou=groups,ou=unix,o=kleinfeld,c=ch?one
arg[2]: netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one
proxyPassword: xxxxxxxxxxxxx
defaultServerList: ldap01.kleinfeld.ch
certificatePath: /var/ldap
thanks in advance
John