Hello Sebastian,
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Dieter Kluenter schrieb:
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Hello,
I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also the TLS is activated. All clients are set to "TLS_REQCERT demand" and is working. Then I created client certificates by using the servers Yast2 CA- management. I copied teh client certificates and also the servers "cacert" into the "/etc/openldap/" directory on client computer. With "TLSVerifyClient allow" clients can login, but if I activate the "TLSVerifyClient demand" option in servers slapd.conf no user can perform an login and it causes errors in /var/log/messages:
[...]
What is wrong? The clients certificate "common name" is set to the clients hostname. Is this ok?
Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with debug level 3 to analyse the tls session.
-Dieter
Hello Dieter,
Now I have set the loglevel to "3" and I get the following output if I try to login (still fails):
loglevel is != debug level, man slapd(8), run slapd -d3
-------------------/var/log/messages---------------------------------------------------------------------
[...]
Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search LDAP server - Server is unavailable
[...]
Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s: Connect error -------------------/var/log/messages---------------------------------------------------------------------
I am not sure, if this is an configuration or certificate error? Do You understand this output above?
The clients are nss_ldap and pam_ldap, check the clients configuration for starttls parameters. With debug level 3 you should see something like
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1931, written=1931 TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL3 alert write:warning:close notify
-Dieter