Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 09-19-2011, 11:42 PM   #1
Registered: Aug 2010
Posts: 69

Rep: Reputation: 1
TLS/SSl client certificate creation for LDAP.

I am doing Configuration of LDAP on Fedora-10 machines. One running as ldap server with openldap-2.4.26 and other with pam_ldap-186 and nss_ldap-265.

I have created the certificates using of openssl at the server side.

I followed the instruction given in the below link to create the certificates.

1. At the server side now i am able to do ldapsearch and ldapadd, as i have done the configuration in /usr/local/etc/openldap/ldap.conf.

BASE dc=samsung,dc=com
URI ldaps://localhost.localdomain/
TLS_CACERT /etc/pki/CA/cacert.pem

2.slapd.conf details for TLS are as follows

TLSCACertificatePath /etc/pki/CA/
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which is my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description

When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)

please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,
Vijay S.
Old 09-20-2011, 12:18 AM   #2
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,396

Rep: Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395
You seem to be using outdated SW and info:

1. F10 hasn't been updated in years; currently on F15.
Note also that Fedora is RedHat's unstable R&D distro. For serious use, consider eg Centos - a free version of RHEL.

2. that article says
This patent expires in September of 2000, so after that
ie it was written at least 10 or 11 yrs ago, possibly longer

3. here is a good HOWTO of LDAP, inc SSL

just skip the RADIUS bit.

Old 09-20-2011, 09:35 PM   #3
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Initially I tried the link which u have given below.
but it didn't work, it was giving error "Unknown CA".
That's why I followed the other link which i had given in my first post.

I have tested LDAP over SSL on fedora-10 for the below options successfully
2.over SSL with slapd.conf "TLSClientVerify allow"
3.over SSL with slapd.conf "TLSClientVerify never"

But when I am testing for SSL with slapd.conf "TLSClientVerify demand" it is failing.

I understood the certificate creation on Server but not getting how to create on client machine. I followed the same server steps at client side also. I created the certificate at client side, but it didn't work.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Client with SSL/TLS support Osten Linux - Software 11 05-29-2012 11:44 PM
open LDAP + TLS/SSL bind Failed. sheelavantar Linux - Server 6 09-19-2011 02:59 AM
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? GrapefruiTgirl Linux - Software 9 04-05-2011 09:54 AM
Difference between TLS and SSL certificate the_gripmaster Linux - Security 2 06-15-2009 09:08 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 07:59 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:56 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration