TLSVerifyClient => no login possible

24 Feb 2009


      Hello,
I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
the  TLS is activated. All clients are set to "TLS_REQCERT    demand"
and is working.
Then I created client certificates by using the servers Yast2 CA-
management. I copied teh client certificates and also the servers
"cacert" into the "/etc/openldap/" directory on client computer. With
"TLSVerifyClient allow" clients can login, but if I activate the
"TLSVerifyClient demand" option in servers slapd.conf no user can
perform an login and it causes errors in /var/log/messages:
----------------/var/log/messages----------------
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: conn=107 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=107, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=107 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=107 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: conn=108 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=108, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=108 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=108 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: conn=109 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=109, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=109 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=109 sd=14
----------------/var/log/messages----------------
slapd.conf:
---------------/etc/openldap/slapd.conf--------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/dnszone.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
pidfile        /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args
#       Directives needed to implement policy:
access to dn.base=""
        by * read
access to dn.base="cn=Subschema"
        by * read
access to attrs=userPassword,userPKCS12
        by self write
        by * auth
access to attrs=shadowLastChange
        by self write
        by * read
access to *
        by * read
#######################################################################
# BDB database definitions
#######################################################################
loglevel 5
TLSCertificateFile /etc/openldap/servercert.pem
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient demand
database bdb
suffix "dc=lmv,dc=lmv"
rootdn "cn=ldaproot,dc=lmv,dc=lmv"
rootpw "???????"
directory /mnt/lvm/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
database monitor
---------------/etc/openldap/slapd.conf--------
ldap.conf (client):
--------------/etc/openldap/slapd.conf---------
#
# LDAP Defaults
#
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
TLS_CACERT    /etc/openldap/cacert.pem
TLS_CERT    /etc/openldap/clientcert_205.pem
TLS_KEY        /etc/openldap/clientkey_205.pem
TLS_REQCERT    demand
host    192.168.0.201
base    dc=lmv,dc=lmv
--------------/etc/openldap/slapd.conf---------
What is wrong? The clients certificate "common name" is set to the
clients hostname. Is this ok?
-- 
Mit freundlichen Grüßen

Sebastian Reinhardt

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

TLSVerifyClient => no login possible