Hi, I'm having some troubles with openldap w/ TLS. I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" On the server side log I'm getting: TLS trace: SSL3 alert read: fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053
I've tried and tested my ssl connection using: openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option: openssl s_client -connect ldap1.mylan:636 -state \ -CAfile /usr/local/etc/openldap/cacert.pem \ -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ -key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs: slapd.conf .... #TLS SSL keys TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem #TLSVerifyClient demand ....
ldap.conf
BASE dc=mylan HOST ldap1.mylan #URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cacert.pem .....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit). host 127.0.0.1
# The distinguished name of the search base. #base dc=caplan,dc=org base dc=mylan
# Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. host ldap1.mylan #uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/ ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with. # Optional: default is no credential. #bindpw SeCrEt
# The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=root,dc=padl,dc=com
# The port. # Optional: default is 389. port 389 .. ... ..
# OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls #ssl on
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". tls_checkpeer yes
# CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool
# SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1
# Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key
Thanks, Vinh