LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-20-2011, 12:42 AM   #1
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Rep: Reputation: 1
TLS/SSl client certificate creation for LDAP.


I am doing Configuration of LDAP on Fedora-10 machines. One running as ldap server with openldap-2.4.26 and other with pam_ldap-186 and nss_ldap-265.

I have created the certificates using CA.sh of openssl at the server side.

I followed the instruction given in the below link to create the certificates.

http://octaldream.com/~scottm/talks/ssl/opensslca.html

1. At the server side now i am able to do ldapsearch and ldapadd, as i have done the configuration in /usr/local/etc/openldap/ldap.conf.

BASE dc=samsung,dc=com
URI ldaps://localhost.localdomain/
TLS_CACERT /etc/pki/CA/cacert.pem
TLS_CACERTDIR /etc/pki/CA/

2.slapd.conf details for TLS are as follows

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath /etc/pki/CA/
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which is my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description


When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)


please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,
Vijay S.
 
Old 09-20-2011, 01:18 AM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
You seem to be using outdated SW and info:

1. F10 hasn't been updated in years; currently on F15.
Note also that Fedora is RedHat's unstable R&D distro. For serious use, consider eg Centos - a free version of RHEL.

2. that article says
Quote:
This patent expires in September of 2000, so after that
ie it was written at least 10 or 11 yrs ago, possibly longer

3. here is a good HOWTO of LDAP, inc SSL
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

just skip the RADIUS bit.

HTH
 
Old 09-20-2011, 10:35 PM   #3
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Initially I tried the link which u have given below.
but it didn't work, it was giving error "Unknown CA".
That's why I followed the other link which i had given in my first post.

I have tested LDAP over SSL on fedora-10 for the below options successfully
1.anonymous
2.over SSL with slapd.conf "TLSClientVerify allow"
3.over SSL with slapd.conf "TLSClientVerify never"

But when I am testing for SSL with slapd.conf "TLSClientVerify demand" it is failing.

I understood the certificate creation on Server but not getting how to create on client machine. I followed the same server steps at client side also. I created the certificate at client side, but it didn't work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Client with SSL/TLS support Osten Linux - Software 11 05-30-2012 12:44 AM
open LDAP + TLS/SSL bind Failed. sheelavantar Linux - Server 6 09-19-2011 03:59 AM
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? GrapefruiTgirl Linux - Software 9 04-05-2011 10:54 AM
Difference between TLS and SSL certificate the_gripmaster Linux - Security 2 06-15-2009 10:08 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 08:59 AM


All times are GMT -5. The time now is 10:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration