I did setup an OpenLDAP server with PAM authentication against it.
In clear text, it works very well but when I try to add SSL it always faill.
I'm following that guide to get it working :
http://kidrek.fr/blog/?p=30
I'm doing that on a Debian lenny system.
In my logs I can see :
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): unable to get TLS client DN, error=49 id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_get(13): got connid=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: ber_get_next on fd 13 failed errno=0 (Success)
Sep 9 17:00:48 Hostname slapd[3231]: connection_closing: readying conn=14 sd=13 for close
Sep 9 17:00:48 Hostname slapd[3231]: connection_close: conn=14 sd=13
On the client side :
Sep 9 17:00:47 Hostname id: nss_ldap: could not search LDAP server – Server is unavailable
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server…
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)…
Sep 9 17:00:48 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:48 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:48 Hostname id: nss_ldap: could not search LDAP server – Server is unavailable
Also, in my slapd.conf I got :
TLSVerifyClient never
Any idea on this ?
Thanks in advance,
Best Answer
It seems you're trying to use client-side SSL instead of server-side; the client identifies itself using a certificate rather than a password.
Do note that the OpenLDAP SSL implementation is rather tricky - it took me quite a while to figure out that it reads it's SSL certs AFTER it drops privileges, so the SSL-certs need to have read-permissions for the OpenLDAP-user...