Alright, it's clear.
The section in Debian's ldap.conf has the following content,
TLSCertificateKeyFile <filename>
Specifies the file that contains the slapd server private key that
matches the certificate stored in the TLSCertificateFile file. Currently, the private key
must not be
protected with a password, so it is of critical importance that it is
protected carefully.
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of a file
that contains the password for the key for the certificate specified with
TLSCertificateFile.
The modutil command can be used to turn off password protection for
the cert/key database. For example, if TLSCACertificatePath specifes /etc/openldap/certdb
as the
location of the cert/key database, use modutil to change the password to the
empty string:
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate
DB'
You must have the old password, if any. Ignore the WARNING about the
running browser. Press 'Enter' for the new password.
Reading this info i would not expect it is not valid in ldap.conf since it is not pointed
out here.
Nevertheless i could have read further.
Howard Chu,
If you allow me to ask you something about gnutls directly, do you still stand behind the
statement you made here,
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
i know it's out of date but you said 'the code is fundamentally broken'.
I'm not knowledged about the internals of gnutls but i am very cusious if you changed
your mind since then.
Best regards,
Etherape
On Mon, Apr 20, 2015 at 02:46:28PM -0500, Dan White wrote:
On 04/20/15 20:07 +0200, E.therepa wrote:
>Dear Tech list,
>
>I'd like to use CRL's to regulate client connections to my slapd server.
>So i've build working certs and keys with gnutls. The whole keysetup is tested
and working properly,
>by invoking gnu-serv and gnu-cli i could succesfully create connections and drop
clients in my revocation list.
>
>In order to use this in slapd/ldap utils i use this settings,
>
>slapd.conf,
>TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
>TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
>TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
>TLSCRLFile /etc/ldap/ssl/crl.pem
>TLSCipherSuite SECURE256:-VERS-SSL3.0
>TLSVerifyClient hard
>
>ldap.conf
># TLS certificates (needed for GnuTLS)
>TLS_CACERT /etc/ldap/ssl/ca-cert.pem
>TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
This is a user only option. See ldap.conf(5).
>TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
>TLS_REQCERT hard
>
>Slapd debug,
>55353d59 slapd starting
>55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
>TLS: can't accept: No certificate was found..
>55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
>
>ldapsearch debug,
>ldap_start_tls: Can't contact LDAP server (-1)
>ldap_free_connection 1 1
>ldap_send_unbind
>ber_flush2: 7 bytes to sd 4
> 0000: 30 05 02 01 02 42 00 0....B.
>ldap_write: want=7 error=Broken pipe
>ldap_free_connection: actually freed
>
>
>As far as i can see and found info my client and servers TLS settings are configured
properly.
>What i really don't get is that the client doesnt send his certs to the server.
--
Dan White