I am doing Configuration of LDAP on Fedora-10 machines. One running as ldap server with openldap-2.4.26 and other with pam_ldap-186 and nss_ldap-265.
I have created the certificates using CA.sh of openssl at the server side.
I followed the instruction given in the below link to create the certificates.
http://octaldream.com/~scottm/talks/ssl/opensslca.html
1. At the server side now i am able to do ldapsearch and ldapadd, as i have done the configuration in /usr/local/etc/openldap/ldap.conf.
BASE dc=samsung,dc=com
URI ldaps://localhost.localdomain/
TLS_CACERT /etc/pki/CA/cacert.pem
TLS_CACERTDIR /etc/pki/CA/
2.slapd.conf details for TLS are as follows
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath /etc/pki/CA/
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow
3. I have copied the "cacert.pem" which is CA and "newcert.pem" which is my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.
base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description
When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing.
I am getting the following error at the server side.
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)
please let me know where i am making mistake? how can i correct this and make it work properly?
Thanks & Regards,
Vijay S.