Dieter Kluenter schrieb:
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Hello,
I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also the TLS is activated. All clients are set to "TLS_REQCERT demand" and is working. Then I created client certificates by using the servers Yast2 CA- management. I copied teh client certificates and also the servers "cacert" into the "/etc/openldap/" directory on client computer. With "TLSVerifyClient allow" clients can login, but if I activate the "TLSVerifyClient demand" option in servers slapd.conf no user can perform an login and it causes errors in /var/log/messages:
[...]
What is wrong? The clients certificate "common name" is set to the clients hostname. Is this ok?
Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with debug level 3 to analyse the tls session.
-Dieter
Hello Dieter,
Now I have set the loglevel to "3" and I get the following output if I try to login (still fails): -------------------/var/log/messages--------------------------------------------------------------------- Feb 25 16:41:49 lmvserver slapd[11737]: slap_listener_activate(8): Feb 25 16:41:49 lmvserver slapd[11737]: >>> slap_listener(ldap://) Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=0 Feb 25 16:41:49 lmvserver slapd[11737]: conn=0 op=0 do_extended Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_extended: err=0 oid= len=0 Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_response: msgid=1 tag=120 err=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): TLS accept failure error=-1 id=0, closing Feb 25 16:41:49 lmvserver slapd[11737]: connection_closing: readying conn=0 sd=13 for close Feb 25 16:41:49 lmvserver slapd[11737]: connection_close: conn=0 sd=13 Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 16:41:49 lmvserver slapd[11737]: slap_listener_activate(8): Feb 25 16:41:49 lmvserver slapd[11737]: >>> slap_listener(ldap://) Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=1 Feb 25 16:41:49 lmvserver slapd[11737]: conn=1 op=0 do_extended Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_extended: err=0 oid= len=0 Feb 25 16:41:49 lmvserver slapd[11737]: send_ldap_response: msgid=1 tag=120 err=0 Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=1 Feb 25 16:41:49 lmvserver slapd[11737]: connection_get(13): got connid=1 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): checking for input on id=1 Feb 25 16:41:49 lmvserver slapd[11737]: connection_read(13): TLS accept failure error=-1 id=1, closing Feb 25 16:41:49 lmvserver slapd[11737]: connection_closing: readying conn=1 sd=13 for close Feb 25 16:41:49 lmvserver slapd[11737]: connection_close: conn=1 sd=13 Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s: Connect error -------------------/var/log/messages---------------------------------------------------------------------
I am not sure, if this is an configuration or certificate error? Do You understand this output above?