--On Friday, January 21, 2022 4:05 PM +0100 patrick+openldap.org@laimbock.com wrote:
Hi,
I'm having trouble getting OpenLDAP 2.6.1 on AlmaLinux 8.5 to work with olcTLSVerifyClient=demand which results in: connection_read(11): TLS accept failure error=-1 id=1001, closing ... conn=1001 fd=11 closed (TLS negotiation failure). With olcTLSVerifyClient=try I get: error unable to get TLS client DN, error 49.
I tried various Google suggestions: check certificate permissions, SELinux AVCs (there are none), created CA, server and client certificates with EasyRSA and manually created the same certificates, ran slapd as root and tried with a python-ldap script.
I would suggest looking at test068, which explicitly tests client cert authentication and also examine the certs therein as to how a correctly structured client cert is formed.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com