Thank you very much Buchan. I have changed the certificate creation method. Now I created the certificates using CA.sh of openssl.I followed the instruction given in the below link to create the certificates. http://octaldream.com/~scottm/talks/ssl/opensslca.html
1. At the server side now i am able to do ldapsearch and ldapadd, as i have chenged the /usr/local/etc/openldap/ldap.conf on server to remove IP address. I have made necessary changes in /etc/hosts file also. BASE dc=samsung,dc=comURI ldaps://localhost.localdomain/TLS_CACERT /etc/pki/CA/cacert.pemTLS_CACERTDIR /etc/pki/CA/ 2.slapd.conf details for TLS are as follows TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSATLSCACertificatePath /etc/pki/CA/TLSCACertificateFile /etc/pki/CA/cacert.pemTLSCertificateFile /etc/pki/tls/misc/newcert.pemTLSCertificateKeyFile /etc/pki/tls/misc/newkey.pemTLSVerifyClient allow 3. I have copied the "cacert.pem" which is CA and "newcert.pem" which my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side. base dc=samsung,dc=comuri ldaps://localhost.localdomain/tls_cacertfile /etc/openldap/cacerts/cacert.pemtls_cert /etc/openldap/cacerts/newcert.pempam_password md5nss_map_attribute gecos description
When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing. I am getting the following error at the server side. TLS trace: SSL3 alert write:fatal:handshake failureTLS trace: SSL_accept:error in SSLv3 read client certificate BTLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate.connection_read(12): TLS accept failure error=-1 id=1005, closingconnection_closing: readying conn=1005 sd=12 for closeconnection_close: conn=1005 sd=12daemon: activity on 1 descriptordaemon: activity on:daemon: removing 12conn=1005 fd=12 closed (TLS negotiation failure) please let me know where i am making mistake? how can i correct this and make it work properly? Thanks & Regards,Vijay S.
openldap-technical@openldap.org