Hi,
 
We have to implement a 2 way SSL mechanism on a LDAP connector in our product.
In order to test the implementation, we have chosen openLDAP2.4 as the data source.
 
Currently we have done the following steps:
On the OpenLDAP end:
1. Installed OpenLDAP with TLS feature
2.Created a CA using OpenSSL
 /etc/pki/tls/misc/CA –newca
 
3.Created a certificate using OpenSSL
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
 
4.Signed the certificate using the CA created
 /etc/pki/tls/misc/CA –sign
 
5. Finally stored the cacert.pem, newreq.pem and newcert.pem under /opt/openldap/certificate folder
 
6. Following changes were made in sldap.conf
TLSCipherSuite          MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath    /opt/openldap/certificate/
TLSCACertificateFile    /opt/openldap/certificate/cacert.pem
TLSCertificateFile      /opt/openldap/certificate/servercrt.pem
TLSCertificateKeyFile   /opt/openldap/certificate/serverkey.pem
# Use the following if client authentication is required
TLSVerifyClient      demand
 
7.Similarly a new certificate for client was created using client’s details such as host name etc
8.Signed by the previously created CA
 
On the client side:
1.       Following changes were made in ldap.conf
HOST   spsdel192
PORT   636
 
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT   demand
TLS_CACERT    /etc/openldap/certs/cacert.pem
 
Finally when executing
[root@spsdel193 ~]# ldapsearch -v -Z -D cn=root,o=ShawEnterprise -w secret -b o=accounts,o=shawEnterprise 
ldap_initialize( <DEFAULT> ) 
ldap_start_tls: Connect error (-11) 
        additional info: TLS error -12227:SSL peer was unable to negotiate an acceptable set of security parameters. 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 
[root@spsdel193 ~]# 
 
 
Any solution to resolve this issue would be of great help.
Thanks in advance.
 
Regards
Vidya