I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate: root@baneling:~# slapcat -H ldap:///cn=config??base dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 0e827846-3926-1033-9f74-632898b715c9 creatorsName: cn=config createTimestamp: 20140306025210Z olcTLSCertificateFile: /etc/ssl/certs/ldap.harmonywave.com.crt olcTLSCertificateKeyFile: /etc/ssl/private/ldap.harmonywave.com.key olcTLSCipherSuite: SECURE256 olcTLSVerifyClient: never entryCSN: 20140308131751.026022Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140308131751Z This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging: root@baneling:~# slapd -d conns -h ldaps:/// 531b1cef @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd 531b1cf0 slapd starting 531b1cf0 daemon: added 3r listener=(nil) 531b1cf0 daemon: added 6r listener=0x7fe2d98326e0 531b1cf0 daemon: added 7r listener=0x7fe2d98327c0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf0 daemon: activity on 1 descriptor 531b1cf0 daemon: activity on:531b1cf0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 busy 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: listen=6, new connection on 12 531b1cf4 daemon: added 12r (active) listener=(nil) 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero TLS: can't accept: The peer did not send any certificate.. 531b1cf4 connection_closing: readying conn=1000 sd=12 for close 531b1cf4 daemon: removing 12 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert? Maybe I'm misunderstanding the basic concepts here, I am pretty new to a lot of this. I'm using OpenLDAP 2.4.31, Debian 7, and GnuTLS. Yes, I'm aware of its recent critical security bug and the warnings against it from this group ( http://www.openldap.org/lists/openldap-devel/200802/msg00072.html). Thanks, Joshua

> did you read the description of this setting in man 5 slapd-config?

On Mar 8, 2014, at 08.50, Joshua Schaeffer <jschaeffer0922(a)gmail.com&gt; wrote: > I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate: please use ldap+starttls, not ldaps. > This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging: why are you setting olcTLSVerifyClient when changing from a self signed cert to a properly signed cert? did you read the description of this setting in man 5 slapd-config? it has nothing to do with use of a self-signed vs a regular cert. be methodical when doing an exercise like this. first switch from your self signed cert to your proper cert. test. then, modify olcTLSVerifyClient and see what happens. > Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert? TLS_CACERT and tls_cacertfile point to the ca cert. why would this cert be sent anywhere by the client? the server already has this cert. those settings allow the client to establish a chain of trust to the certificate presented by the server. it’s a “bootstrapping” mechanism, so to speak. you tell the client [by way of those settings] to implicitly trust, no questions asked, certain ca certificates. then when the client is presented a certificate by a server, it can be deemed “trustworthy”, even though it had no prior knowledge of this particular cert. -ben