Hi,
I'm having trouble getting OpenLDAP 2.6.1 on AlmaLinux 8.5 to work with olcTLSVerifyClient=demand which results in: connection_read(11): TLS accept failure error=-1 id=1001, closing ... conn=1001 fd=11 closed (TLS negotiation failure). With olcTLSVerifyClient=try I get: error unable to get TLS client DN, error 49.
I tried various Google suggestions: check certificate permissions, SELinux AVCs (there are none), created CA, server and client certificates with EasyRSA and manually created the same certificates, ran slapd as root and tried with a python-ldap script.
[root@ldap1 openldap]# ldapwhoami -d 1 -H ldaps://<FQDN> -x ... connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS trace: SSL_connect:TLSv1.3 read encrypted extensions TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS certificate verification: depth: 1, err: 0, subject: /C=NL/O=Example/OU=IT/CN=OpenLDAP-CA, issuer: /C=NL/O=Example/OU=IT/CN=OpenLDAP-CA TLS certificate verification: depth: 0, err: 0, subject: /C=NL/O=Example/OU=IT/CN=<FQDN>, issuer: /C=NL/O=Example/OU=IT/CN=OpenLDAP-CA TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:TLSv1.3 read server certificate verify TLS trace: SSL_connect:SSLv3/TLS read finished TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write finished ... TLS trace: SSL3 alert read:fatal:unknown ldap_err2string ldap_result: Can't contact LDAP server (-1)
There is only one ldap.conf and it's in /etc/openldap:
BASE dc=example,dc=ldap URI ldaps://<FQDN> TLS_CACERT /etc/openldap/certs/openldap-CA.crt TLS_CERT /etc/openldap/certs/ldap-admin.crt TLS_KEY /etc/openldap/certs/ldap-admin.key TLS_REQCERT demand
Certificates (slapd runs with -u ldap):
[root@ldap1 certs]# ll /etc/openldap/certs total 20 -rw-r--r--. 1 root root 1980 21 jan 15:24 <FQDN>.crt -r--------. 1 ldap root 2484 21 jan 15:24 <FQDN>_nopass.key.crt -rw-r--r--. 1 root root 1984 21 jan 15:24 ldap-admin.crt -r--------. 1 patrick root 2484 21 jan 15:24 ldap-admin_nopass.key.crt -rw-r--r--. 1 root root 1952 21 jan 15:24 openldap-CA.crt
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /run/openldap/slapd.args olcPidFile: /run/openldap/slapd.pid olcPasswordCryptSaltFormat: $6$%s olcLogLevel: -1 olcTLSCACertificateFile: /etc/openldap/certs/openldap-CA.crt olcTLSCertificateFile: /etc/openldap/certs/ldap-server.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap-server.key olcTLSDHParamFile: /etc/pki/tls/certs/dhparam2048 olcTLSVerifyClient: demand
The certificates are attached (the keys have no password) plus the output of 'openssl x509 -text -noout -in <cert> > <cert>.txt'. The python script test.py that I used is also attached.
Thank you for any suggestions how to make this work or where to look.
Best, Patrick
--On Friday, January 21, 2022 4:05 PM +0100 patrick+openldap.org@laimbock.com wrote:
Hi,
I'm having trouble getting OpenLDAP 2.6.1 on AlmaLinux 8.5 to work with olcTLSVerifyClient=demand which results in: connection_read(11): TLS accept failure error=-1 id=1001, closing ... conn=1001 fd=11 closed (TLS negotiation failure). With olcTLSVerifyClient=try I get: error unable to get TLS client DN, error 49.
I tried various Google suggestions: check certificate permissions, SELinux AVCs (there are none), created CA, server and client certificates with EasyRSA and manually created the same certificates, ran slapd as root and tried with a python-ldap script.
I would suggest looking at test068, which explicitly tests client cert authentication and also examine the certs therein as to how a correctly structured client cert is formed.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org