Hi,

We have to implement a 2 way SSL mechanism on a LDAP connector in our product.

In order to test the implementation, we have chosen openLDAP2.4 as the data source.

Currently we have done the following steps:

On the OpenLDAP end:

1. Installed OpenLDAP with TLS feature

2.Created a CA using OpenSSL

/etc/pki/tls/misc/CA –newca

3.Created a certificate using OpenSSL

openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

4.Signed the certificate using the CA created

/etc/pki/tls/misc/CA –sign

5. Finally stored the cacert.pem, newreq.pem and newcert.pem under /opt/openldap/certificate folder

6. Following changes were made in sldap.conf

TLSCipherSuite MEDIUM:+SSLv2:+SSLv3:RSA

TLSCACertificatePath /opt/openldap/certificate/

TLSCACertificateFile /opt/openldap/certificate/cacert.pem

TLSCertificateFile /opt/openldap/certificate/servercrt.pem

TLSCertificateKeyFile /opt/openldap/certificate/serverkey.pem

# Use the following if client authentication is required

TLSVerifyClient demand

7.Similarly a new certificate for client was created using client’s details such as host name etc

8.Signed by the previously created CA

On the client side:

1. Following changes were made in ldap.conf

HOST spsdel192

PORT 636

TLS_CACERTDIR /etc/openldap/certs

TLS_REQCERT demand

TLS_CACERT /etc/openldap/certs/cacert.pem

Finally when executing

[root@spsdel193 ~]# ldapsearch -v -Z -D cn=root,o=ShawEnterprise -w secret -b o=accounts,o=shawEnterprise
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (-11)
additional info: TLS error -12227:SSL peer was unable to negotiate an acceptable set of security parameters.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@spsdel193 ~]#

Any solution to resolve this issue would be of great help.

Thanks in advance.

Regards

Vidya