Matwey V. Kornilov wrote:

After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly?

The ldap.conf(5) manpage says clearly "This is a user-only option."

I've spent two days of my precious life to dig it out.

Yes, not reading carefully is a sure way to waste time.

Now it works.

2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov matwey.kornilov@gmail.com:

...

Hello,

I am running openldap 2.4.41 and I've failed to setup client certificate validation. TLS works well until olcTLSVerifyClient is set to demand. Then I see

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

at client side. And

connection_read(11): TLS accept failure error=-1 id=1021, closing

at the serveri side. So, I've configured /etc/openldap/ldap.conf as the following to provide client TLS certificate paths:

TLS_CACERT /path/to/myroot.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /path/to/my.crt TLS_KEY /path/to/my.key

However, when I run openssl s_server -Verify 0 -accept 636 ... I see the following:

ERROR 140680155473552:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309: shutting down SSL CONNECTION CLOSED ACCEPT

So, this means that ldapsearch doesn't sent out its client certificate. I've also checked with strace tool that it even doesn't access certificate file.

So, I am little stuck here. I understand that I am doing something wrong, but I cannot figure out what.