c0re nr1c0re@gmail.com writes:
Hello everyone!
[...]
So I add to slapd.conf
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/rootcrt.pem
In nss_ldap and ldap.conf I add folowing:
ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem
I start slapd with debugging:
[...]
And slapd debug:
slap_listener_activate(7):
slap_listener(ldap:///)
[...]
TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You probably have configured slapd to require client verification, but the client doesn't provide a valid certificate.
[...]
-Dieter