Re: TLSVerifyClient => no login possible

Hello Dieter, IT WORKS - partialy.... I have got it working from one client. The last problem was, I used host names in certificates and ip's in /etc/ldap.conf. Because I red in comments of ldap.conf, that server must be resolveable without ldap. But I like to use the server as an workstation, too. So I have configured the client part (certificates and ldap.conf) same as the "real" client pc, but I can not perform a user login at kdm on server. The output of "slapd -d 3..." shows an error "TLS certificate verification: Error, unable to get local issuer certificate". Why? I use the same "cacert" and an own client cert' which is created in same way like the client certs of the other client. Or should I use the server certificate as client one, too? Here is the output during login (I cut some "hex"- lines): slap_listener_activate(8): connection_get(24): got connid=36 connection_read(24): checking for input on id=36 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=36 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 24 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(24): got connid=36 connection_read(24): checking for input on id=36 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]... tls_read: want=125, got=125 0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5....... 0010: 00 84 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 ................ 0020: 33 00 00 32 00 00 2f 00 00 45 00 00 44 00 00 41 3..2../..E..D..A 0030: 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 ................ 0040: 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 .......@........ 0050: 08 00 00 06 04 00 80 00 00 03 02 00 80 0b 27 96 ..............'. 0060: 15 ac 75 97 72 09 93 a8 cf f3 57 d9 a4 76 34 69 ..u.r.....W..v4i 0070: 0a a2 ae 9d cf d9 e4 10 c5 08 66 b9 26 ..........f.& TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1778, written=1778 0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 b3 ....J...F..I.g@. . . . 06f0: 00 00 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(24): got connid=36 connection_read(24): checking for input on id=36 tls_read: want=5, got=5 0000: 16 03 01 05 d4 ..... tls_read: want=1492, got=1492 0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0. . . . 05d0: 59 d2 29 be Y.). TLS certificate verification: depth: 0, err: 20, subject: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=lmvws1/emailAddress=snr(a)lmv-hartmannsdorf.de, issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=Sebastian Reinhardt/emailAddress=snr(a)lmv-hartmannsdorf.de TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned s3_srvr.c:2564 connection_read(24): TLS accept failure error=-1 id=36, closing connection_closing: readying conn=36 sd=24 for close connection_close: conn=36 sd=24 slap_listener_activate(8): connection_get(24): got connid=37 connection_read(24): checking for input on id=37 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=37 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 24 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(24): got connid=37 connection_read(24): checking for input on id=37 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]... tls_read: want=125, got=125 0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5....... . . . 0070: 89 48 20 a2 5a e3 8f 57 e0 e2 3e fa a5 .H .Z..W..>.. TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1778, written=1778 0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 c4 ....J...F..I.g@. . . . 06f0: 00 00 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(24): got connid=37 connection_read(24): checking for input on id=37 tls_read: want=5, got=5 0000: 16 03 01 05 d4 ..... tls_read: want=1492, got=1492 0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0. . . . 05d0: 59 d2 29 be Y.). TLS certificate verification: depth: 0, err: 20, subject: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=lmvws1/emailAddress=snr(a)lmv-hartmannsdorf.de, issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=Sebastian Reinhardt/emailAddress=snr(a)lmv-hartmannsdorf.de TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned s3_srvr.c:2564 connection_read(24): TLS accept failure error=-1 id=37, closing connection_closing: readying conn=37 sd=24 for close connection_close: conn=37 sd=24 slap_listener_activate(8): connection_get(24): got connid=38 connection_read(24): checking for input on id=38 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=38 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 24 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(24): got connid=38 connection_read(24): checking for input on id=38 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]... tls_read: want=125, got=125 0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5....... . . . 0070: 10 6f b2 c4 c3 a4 52 ab 4b 08 0b d4 f5 .o....R.K.... TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1778, written=1778 0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 07 ....J...F..I.g@. . . . 06f0: 00 00 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(24): got connid=38 connection_read(24): checking for input on id=38 tls_read: want=5, got=5 0000: 16 03 01 05 d4 ..... tls_read: want=1492, got=1492 0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0. . . . 05d0: 59 d2 29 be Y.). TLS certificate verification: depth: 0, err: 20, subject: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=lmvws1/emailAddress=snr(a)lmv-hartmannsdorf.de, issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service GmbH/OU=Computer/CN=Sebastian Reinhardt/emailAddress=snr(a)lmv-hartmannsdorf.de TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned s3_srvr.c:2564 connection_read(24): TLS accept failure error=-1 id=38, closing connection_closing: readying conn=38 sd=24 for close connection_close: conn=38 sd=24 -- Mit freundlichen Grüßen Sebastian Reinhardt