Hauke Coltzau wrote:

Hello everybody,

I'm just trying to set up a LDAPS server using my own certification authority, but the ldap server does not accept/understand my client certificate. Instead, the server sais:

TLS: can't accept: The peer did not send any certificate..

Here are the details:

Client:

# ldapsearch -x -LLL -ZZ -d 1

ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP<serverip>:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying<serverip>:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)

Server:

# slapd -VV @(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $ buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd

# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127

You cannot use StartTLS (ldapsearch -Z) with an ldaps:// server, it's redundant.

ldap.conf (partially)

uri ldaps://132.176.4.6/

ssl yes tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt tls_ciphers TLSv1

The above 3 keywords are not valid for ldap.conf. Read the ldap.conf(5) manpage.

tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem

What did I do wrong?