Hello,
i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS.
The replication from Server ldap01 to ldap02 works fine with TLS, so i think that the problem must be on client site (Solaris 10 native LDAP Client - latest Patchset). Without TLS it works.
Maybe someone can give me a hint - -(slapd - debug)---
slap_listener(ldaps:///)
connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11
-( slapd.conf - tls part)--- TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /opt/openldap/var/openldap-data/ca-cert.pem TLSCertificateFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch.pem TLSCertificateKeyFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch TLSVerifyClient never
-( solaris 10 - client )----
# import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
# initialize ldap-client ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch \ -a proxyPassword=xxxxxxxxxxxx \ -a defaultsearchbase=ou=unix,o=kleinfeld,c=ch \ -a defaultServerList="ldap01.kleinfeld.ch ldap02.kleinfeld.ch" \ -a certificatePath=/var/ldap \ -a domainName=kleinfeld.ch \ -a attributeMap=passwd:gecos=cn \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount \ -a serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one
# output from ldapclient Parsing credentialLevel=proxy Parsing authenticationMethod=tls:simple Parsing serviceAuthenticationMethod=pam_ldap:tls:simple Parsing proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Parsing proxyPassword=UnIXpRoXY Parsing defaultsearchbase=ou=unix,o=kleinfeld,c=ch Parsing defaultServerList=ldap01.kleinfeld.ch Parsing certificatePath=/var/ldap Parsing domainName=kleinfeld.ch Parsing attributeMap=passwd:gecos=cn Parsing objectClassMap=group:posixGroup=posixGroup Parsing objectClassMap=passwd:posixAccount=posixAccount Parsing objectClassMap=shadow:shadowAccount=shadowAccount Parsing serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one Arguments parsed: Handling manual option Proxy DN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Proxy password: {NS1}xxxxxxxxxxxxxxxxxxxxx Credential level: 1 Authentication method: 3 About to modify this machines configuration by writing the files Stopping network services sendmail not running nscd not running autofs not running Stopping ldap stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: network/ldap/client:default... success nisd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "kleinfeld.ch" file_backup: stat(/var/yp/binding/kleinfeld.ch)=-1 file_backup: No /var/yp/binding/kleinfeld.ch directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname kleinfeld.ch... success start: sleep 100000 microseconds start: network/ldap/client:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured authenticationMethod: tls:simple serviceAuthenticationMethod: arg[0]: pam_ldap:tls:simple defaultSearchBase: ou=unix,o=kleinfeld,c=ch credentialLevel: proxy domainName: kleinfeld.ch proxyDN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch objectclassMap: arg[0]: group:posixGroup=posixGroup arg[1]: passwd:posixAccount=posixAccount arg[2]: shadow:shadowAccount=shadowAccount attributeMap: arg[0]: passwd:gecos=cn serviceSearchDescriptor: arg[0]: passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one arg[1]: group:ou=groups,ou=unix,o=kleinfeld,c=ch?one arg[2]: netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one proxyPassword: xxxxxxxxxxxxx defaultServerList: ldap01.kleinfeld.ch certificatePath: /var/ldap
thanks in advance John