Hi everybody,
thank you all for your immediate replies.
As you correctly pointed out, the options I used were wrong.
With following ldap.conf, everything works out fine.
base dc=...
URI ldaps://<fqdn of ldap server>/
ldap_version 3
rootbinddn cn=...
bind_policy soft
pam_password md5
TLS_REQCERT yes
TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt
The ldap.conf I used before has been created by dpkg-reconfigure
and I simply changed the default values there. That was a mistake ;-)
Creating a new ldap.conf from scratch with a man-page at hand
obviously did the trick.
Thank you very much for your help,
Best regards,
Hauke
--
----- Ursprüngliche Mail -----
Von: "Howard Chu"
hyc@symas.com
An: "Hauke Coltzau"
hauke.coltzau@FernUni-Hagen.de
CC: "openldap-technical"
openldap-technical@openldap.org
Gesendet: Mittwoch, 27. August 2008 20:37:44 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read
Hauke Coltzau wrote:
> Hello everybody,
>
> I'm just trying to set up a LDAPS server using my own
> certification authority, but the ldap server does not
> accept/understand my client certificate. Instead, the server
> sais:
>
> TLS: can't accept: The peer did not send any certificate..
> Here are the details:
>
> Client:
> =======
>
> # ldapsearch -x -LLL -ZZ -d 1
>
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP<serverip>:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying<serverip>:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: can't connect: A TLS packet with unexpected length was received..
> ldap_err2string
> ldap_start_tls: Can't contact LDAP server (-1)
>
>
> Server:
> ========
>
> # slapd -VV
> @(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $
> buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
>
>
> # slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127
You cannot use StartTLS (ldapsearch -Z) with an ldaps:// server, it's redundant.
> ldap.conf (partially)
> ---------------------
>
> uri ldaps://132.176.4.6/
> ssl yes
> tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
> tls_ciphers TLSv1
The above 3 keywords are not valid for ldap.conf. Read the ldap.conf(5) manpage.
> tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
> tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem
> What did I do wrong?
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/
--
------------------------------------
Fernuniversität in Hagen
Lehrgebiet Kommunikationsnetze
http://www.fernuni-hagen.de/kn
Fon/Fax: +49 2331 987 -1142 / -353
------------------------------------