I am doing Configuration of LDAP on Fedora-10 machines. One running as ldap server with openldap-2.4.26 and other with pam_ldap-186 and nss_ldap-265.

I have created the certificates using CA.sh of openssl at the server side.

I followed the instruction given in the below link to create the certificates.

http://octaldream.com/~scottm/talks/ssl/opensslca.html

1. At the server side now i am able to do ldapsearch and ldapadd, as i have done the configuration in /usr/local/etc/openldap/ldap.conf.

BASE dc=samsung,dc=com
URI ldaps://localhost.localdomain/
TLS_CACERT /etc/pki/CA/cacert.pem
TLS_CACERTDIR /etc/pki/CA/

2.slapd.conf details for TLS are as follows

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificatePath /etc/pki/CA/
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which is my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description


When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)


please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,
Vijay S.

You seem to be using outdated SW and info:

1. F10 hasn't been updated in years; currently on F15.
Note also that Fedora is RedHat's unstable R&D distro. For serious use, consider eg Centos - a free version of RHEL.

2. that article says
ie it was written at least 10 or 11 yrs ago, possibly longer

3. here is a good HOWTO of LDAP, inc SSL
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

just skip the RADIUS bit.

HTH

Initially I tried the link which u have given below.
but it didn't work, it was giving error "Unknown CA".
That's why I followed the other link which i had given in my first post.

I have tested LDAP over SSL on fedora-10 for the below options successfully
1.anonymous
2.over SSL with slapd.conf "TLSClientVerify allow"
3.over SSL with slapd.conf "TLSClientVerify never"

But when I am testing for SSL with slapd.conf "TLSClientVerify demand" it is failing.

I understood the certificate creation on Server but not getting how to create on client machine. I followed the same server steps at client side also. I created the certificate at client side, but it didn't work.