Windl, Ulrich wrote:
Hi!
Im trying to convert out rencreplc configurtation using plain authentication over TLS to external authentication using a user certificate.
It almost works, but slapd is reporting connection_read(11): TLS accept failure error=-1 id=1002, closing and conn=1002 fd=11 closed (TLS negotiation failure) while I can connect using the certificate and peer with openssl s_client
Run slapd with debug output, -d -1.
Openssl reports:
Nothing relevant.
Somehow I suspect that the certificate being a user certificate (DN mapped to a user entry) is not acceptable in syncrepls tls_cert; can anybody confirm?
No. Any certificate can be used, and if it is signed by a trusted CA then it is valid regardless of DN mapping.
The problem is that Id like to trust a user certificate more than a host certificate for replication.
And if Id use a host certificate, how could I authenticate the user being used to get the changes?
I looked a lot around using popular search engines, but could not find a useful example that is complete enough.
Let me remark at this point that the description of tls_reqsan is quite poor in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about Subject Alternate Name.
sAN is the well known abbreviation of Subject Alternative Name. This is standard X.509 terminology.