I was recently asked if we could use ssl client certs as a 2nd form of authentication with OpenLDAP and didn't know for sure. Is it possible to have OpenLDAP require both a DN/password pair *and* a client ssl cert?
Just to see if I could make any form of client cert authentication work, I took a test-bed instance of OpenLDAP and added this line to slapd.conf: TLSVerifyClient allow
Then I created a self-signed ssl cert, converted it to a .der binary file, then added it to an LDAP record's userCertificate attribute with this:
dn: <my-dn> changetype: modify add: userCertificate;binary userCertificate;binary:< file:///tmp/ldapclient.bin
Then I found my ldap client of choice doesn't seem to have an option to authenticate via client certs, and didn't see any command line options for ldapsearch for specifying a client ssl cert/key pair. So I edited ~/.ldaprc and added:
BINDDN <my-dn> TLS_REQCERT demand TLS_CERT /tmp/ldapclient.crt TLS_KEY /tmp/ldapclient.key
But when I run ldapsearch -x with no -D and -W options, it's clearly still just binding anonymously. When I run ldapsearch -x with a -D and no -W option it says I can't bind without a password. :-) So... I'm clearly missing something here.
How do I get ldapsearch to try to authenticate with the SSL cert? Or is it possibly trying but failing because slapd can't validate the self-signed client cert I made? It's definitely finding and using my .ldaprc file because I can change BASE, PORT, and HOST settings in there and don't have to specify 'em on the command line afterwards, but as near as I can tell it's not using the client cert.