It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
Am Montag, 17. Juni 2013 15:48:13 schrieb Dan White:
On 06/17/13 10:26 +0200, Stefan Scheidewig wrote:
Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the ldap-backend. Now we configured LDAP B to use client authentication. We successfully established a connection to LDAP B using OpenSSL s_client and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP proxy to establish the connection using this pkcs11 engine (we compiled the ldap proxy to use OpenSSL as TLS implementation). Is there a posibility to tell the LDAP proxy to use the certificate and key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ?
I don't know. However, you could try to set tls_key=slot_1-id_42, but since OpenLDAP does not provide a configurable engine selection (to my knowledge), you'd need to find some way to set the engine to pkcs11, perhaps with an environment variable or via a default config option in /etc/openssl/, or via some openssl compile option.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949