Re: TLSVerifyClient => no login possible

Hello, Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de&gt; writes: > Dieter Kluenter schrieb: >> Hello Sebastian, >> >> Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de&gt; writes: >> >> >>> Dieter Kluenter schrieb: >>> >>>> Hello Sebastian, >>>> >>>> Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de&gt; writes: >>>> >>>> >>>> >>>>> Dieter Kluenter schrieb: >>>>> >>>>> >>>>>> Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de&gt; writes: [...] > > As I tried to perform "ldapsearch" with TLS enabled I got some output > about "version trouble" of openldap server and client libraries. But now > I solved this problem and I have configured "pam_ldap" again. > The login with "TLSVerifyClient demand" (enabled in slapd.conf) works, > but not with "tls_checkpeer yes" in "/etc/ldap.conf". If > "tls_checkpeer" is "yes", the login is not possible (output: > "Permissions on the password database may be too restrictive"). > > The "strace -o /tmp/ldapsearch.txt ldapsearch -d 1 -x -ZZ -h > 192.168.0.201 "(uid=*)" " is creating command line output: [...] > For strace output take a look at the attached file, please. > I think that server and client do not comunicate via TLS, or do they? > And why can I login, but not search (with "tls_checkpeer no")? Please check the output of openssl x509 -in <server-key> -text | grep Subject

compare the CN value of Subject with your -h value of ldapsearch and the host configuration in /etc/ldap.conf