openldap 2.4: olcTLSVerifyClient demand

I am running openLDAP 2.4.41 and trying to achieve client TLS certificate checking. I've configured TLS at server side as the following.

olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem olcTLSCertificateKeyFile: /etc/openldap/openldap.key olcTLSCertificateFile: /etc/openldap/openldap.crt 

TLS connection works well when olcTLSVerifyClient is set to try.

My client ldap.conf is the following (for testing simplicity I use the same cert both for the server and the client):

TLS_CACERT /etc/pki/trust/anchors/rootCA.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /etc/openldap/openldap.crt TLS_KEY /etc/openldap/openldap.key 

Now, I am setting olcTLSVerifyClient: demand.

> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base ldap_url_parse_ext(ldaps:///) ldap_initialize( ldaps://:636/??base ) ldap_create ldap_url_parse_ext(ldaps://:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect:  connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED] TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read server session     ticket A TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 

In the server logs I see the following:

slap_listener_activate(8): >>> slap_listener(ldaps:///) connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_read(11): TLS accept failure error=-1 id=1021, closing connection_close: conn=1021 sd=11 

How could I debug why client certificate checking doesn't work?


Category: openldap Time: 2016-07-31 Views: 0
Tags: openldap

Related post

  • OpenLDAP client certificate giving "Unable to find the certificate or key necessary for authentication" 2015-02-12

    Initial setup of system I have an OpenLDAP server running on SLC6.5 and a client running Fedora 20. The server and client are both running OpenLDAP 2.4.39 which is built with Mozilla NSS as its SSL library. I am trying to enable client certificate au

  • ldapsearch works for ldaps but getent passwd 'user' returns nothing on Centos 7 minimum openldap server 2016-06-21

    I have installed openldap on centos 7 minimum and added a user newuser01 to the database successfuly. ldapsearch works fine with both the master and the client using this format: ldapsearch -H ldaps:// -x -D "cn=Manager,dc=example

  • How do I configure LDAP on Centos 6 for user authentication in the most secure and correct way? 2011-10-20

    During the last couple of days I have been using a lot of F-words, while browsing Internet for good documentation about how to setup an LDAP-server. So far I have found none, but plenty that are less then good, but better then bad. So I had to do it

  • Unable to get OpenLDAP with TLS working 2015-10-25

    I have an OpenLDAP 2.4.39 server running on a Centos 7 host which is populated with a minimal set of data. It work as expected when TLS is not used. I use this for authentication with dokuwiki today. I have bought an SSL from Namecheap/Comodo and am

  • Setting up openldap for ldaps with cn=config 2011-01-28

    I'm trying to enable SSL connections on an OpenLDAP 2.4.23 server, but all the instructions I find only discuss the old slapd.conf configuration. Can anyone point to some instructions for setting it up under cn=config? --------------Solutions--------

  • Persuading openldap to work with SSL on Ubuntu with cn=config 2011-08-23

    I simply cannot get this (TLS connection to openldap) to work and would appreciate some assistance. I have a working openldap server on ubuntu 10.04 LTS, it is configured to use cn=config and most of the info I can find for TLS seems to use the older

  • Configuration management and control for OpenLDAP 2014-07-23

    I have an OpenLDAP server set up with LDIF/OLC configuration (all configuration is done on-line). What are the best practices to allow versioning this configuration àla git? --------------Solutions------------- The practice I've seen recommended most

  • OpenLDAP's cn=config is not getting fully replicated 2015-06-26

    I've got OpenLDAP 2.4.39 master and a read-only replica, using the cn=config aka "OLC" configuration (as oppose to the older slapd.conf method). Replication works for data (user accounts, etc) but not for the config - when I change the configura

  • Hashing passwords in OpenLDAP 2015-08-20

    I've seen a few posts on the internet saying most people store user passwords in OpenLDAP using one of OpenLDAP's many, built-in hashing functions. But OpenLDAP itself recommends handing off password hashing and decryption to a separate service Furth

  • Can connect to my OpenLDAP server locally but not externally 2015-08-24

    I have a problem with my OpenLDAP server. I can't connect to it externally from client, it only works locally. My OpenLDAP server is running on a Raspberry Pi with Rasbian as the OS. When I run this ldapsearch from a client: $ ldapsearch -h ldap://ld

  • MIT Kerberos with OpenLDAP backend - TLS ok when KDC started interactively but init script fails 2015-09-26

    In DNS domain domain.local. there are two machines host.domain.local. = srv1.domain.local. = host.domain.local. is KDC for Kerberos realm DOMAIN.LOCAL, srv1.domain.local. is a KDC for Kerberos realm RC.DOMAIN.LOCAL. There's an

  • The Festive Season and Client Demands 2007-12-13

    As we all enter the silly season, with family events, social evenings and all the fun of Christmas, it's a pertinent time to reflect on how you deal with client demands. When I first started out on my own, I worked whenever I could – more so, I worke

  • TV's Future is On Demand 2008-09-24

    My debut post into the world of professional tech blogging was a comparison of IPTV startups Joost, Babelgum, and Zattoo under the headline "Internet Killed the Television Star." More than a year later, that headline is starting to seem more and

  • How do I modify the value of an attribute with OpenLDAP? 2009-06-09

    We have installed a mail server which comes with an OpenLDAP schema and some additional attributes. One of the attributes controls which users have administration rights on the calendar and public folders feature of the server. How do I set these att

  • Openldap error: alock package is unstable 2009-06-18

    I am configuring openldap on a CentOS 5.3 machine. When I start the ldap service I get the following exception: Checking configuration files for slapd: bdb_db_open: alock package is unstable backend_startup_one: bi_db_open failed! (-1) slap_startup f

  • OpenLDAP with ldaps support on Debian Lenny 2009-06-29

    somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem. I've added the following options to slapd.conf: TLSCipherSuite TLS_R

  • Active Directory vs OpenLDAP 2009-06-30

    This is for a small company (12 developers) who haven't implemented any centralized user database - they've grown organically and just created accounts on computers as they needed. From a management point of view, its a nightmare - 10 computers all w

  • Retrieve operational attributes from OpenLDAP 2009-07-13

    I've been having trouble trying to find some good documentation on how to retrieve operational attributes from OpenLDAP. I would like to retrieve the base distinguished name of an LDAP server by doing an LDAP search. How come my search doesn't work w

  • OpenLDAP Invalid Credentials 2009-07-14

    I'm setting up an OpenLDAP server to authenticate users in a domain on Ubuntu 9.04. What's interesting/strange is that in the newest version of openldap for Ubuntu, the default is not to use the /etc/ldap/slapd.conf file - instead it stores its confi

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 0.457 (s). 13 q(s)