Hi Eric
You need to be very careful with this. I ran into a similar problem some time ago and did not find an adequate solution.
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list. As such, the safest way to operate is to have a single dedicated CA, probably slapo-autoca, that exclusively signs certificates for valid clients, and use the access control rules to limit what the client can see.
If you want something more generic than autoca, like client certificates signed by public CA's, I would HIGHLY recommend putting a proxy in front of slapd and using the proxy (I used haproxy) to validate certificates. Yes this is ugly and cumbersome, but I believe (controversially) it is necessary.
I did start work on a plugin to better handle this but ran out of time. It won't be happening now. In any case, SOME modification to the slapd core would be needed to be able to drop connections from clients that fail certificate validation. At the time, there was ferocious resistance to any suggestion of changing the core, so I wasn't terribly motivated.
As to WHY the certificates are user-only configuration options, I never found an explanation, but always assumed it was so unprivileged system users could not assume the identity of any system daemons or root. This COULD have been implemented in other ways but it is what it is, and not such a big deal.
Regards
Sean.
On 28/12/2024 3:18 am, Quanah Gibson-Mount wrote:
--On Friday, December 27, 2024 2:17 PM +0000 Eric M em.job35@gmail.com wrote:
I just want to perform a ldapsearch search with TLS mutual authentication. My backend require mutual authentication because the parameter TLS_REQCERT is demanded. On my client server, i configured my LDAP.conf with his TLS parameters. An OpenSSL test is ok when I check and give all the certificate parameters in command line. But, with my search with ldapsearch, i notice an error « peer did not return certificate » with LDAP.conf configured.
Hi Eric,
You have two options:
a) Use a user specific .ldaprc file to set user specific TLS options
or
b) Use the -o command line switch for the client binaries as documented in the man page. Example also exists in test067-tls in the test suite.
Regards, Quanah