Hello,
I am running openldap 2.4.41 and I've failed to setup client certificate validation. TLS works well until olcTLSVerifyClient is set to demand. Then I see
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
at client side. And
connection_read(11): TLS accept failure error=-1 id=1021, closing
at the serveri side. So, I've configured /etc/openldap/ldap.conf as the following to provide client TLS certificate paths:
TLS_CACERT /path/to/myroot.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /path/to/my.crt TLS_KEY /path/to/my.key
However, when I run openssl s_server -Verify 0 -accept 636 ... I see the following:
ERROR 140680155473552:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309: shutting down SSL CONNECTION CLOSED ACCEPT
So, this means that ldapsearch doesn't sent out its client certificate. I've also checked with strace tool that it even doesn't access certificate file.
So, I am little stuck here. I understand that I am doing something wrong, but I cannot figure out what.
After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly? I've spent two days of my precious life to dig it out. Now it works.
2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov matwey.kornilov@gmail.com:
Hello,
I am running openldap 2.4.41 and I've failed to setup client certificate validation. TLS works well until olcTLSVerifyClient is set to demand. Then I see
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
at client side. And
connection_read(11): TLS accept failure error=-1 id=1021, closing
at the serveri side. So, I've configured /etc/openldap/ldap.conf as the following to provide client TLS certificate paths:
TLS_CACERT /path/to/myroot.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /path/to/my.crt TLS_KEY /path/to/my.key
However, when I run openssl s_server -Verify 0 -accept 636 ... I see the following:
ERROR 140680155473552:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309: shutting down SSL CONNECTION CLOSED ACCEPT
So, this means that ldapsearch doesn't sent out its client certificate. I've also checked with strace tool that it even doesn't access certificate file.
So, I am little stuck here. I understand that I am doing something wrong, but I cannot figure out what.
On Aug 06, 2016, at 12.14, Matwey V. Kornilov matwey.kornilov@gmail.com wrote:
After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly?
from ldap.conf(5):
TLS_CERT <filename> Specifies the file that contains the client certificate. This is a user-only option.
TLS_KEY <filename> Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. This is a user-only option.
both settings clearly state "This is a user-only option"
On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote:
After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly?
It is.
TLS_CERT <filename> Specifies the file that contains the client certificate. This is a user-only option.
[...]
TLS_KEY <filename> Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. This is a user-only option.
"User-only" is defined at the top of the page:
Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).
2016-08-06 20:03 GMT+03:00 Ryan Tandy ryan@nardis.ca:
On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote:
After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly?
It is.
TLS_CERT <filename> Specifies the file that contains the client certificate. Thisis a user-only option.
[...]
TLS_KEY <filename> Specifies the file that contains the private key that matchesthe certificate stored in the TLS_CERT file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. This is a user-only option.
"User-only" is defined at the top of the page:
Some options are user-only. Such options are ignored if present inthe ldap.conf (or file specified by LDAPCONF).
However, I'll prepare a patch issuing a warning in openldap_ldap_init_w_conf. Don't you mind?
openldap-technical@openldap.org
-
btb@bitrate.net -
Matwey V. Kornilov -
Ryan Tandy