I am setting up slapd to use SSL on Fedora 14. I have the following in my /etc/openldap/slapd.d/cn=config.ldif:
olcTLSCACertificateFile: /etc/pki/tls/certs/SSL_CA_Bundle.pem
olcTLSCertificateFile: /etc/pki/tls/certs/mydomain.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/mydomain.key
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
olcTLSVerifyClient: demand
and the following in my /etc/sysconfig/ldap:
SLAPD_LDAP=no
SLAPD_LDAPS=yes
In my ldap.conf file, I have
BASE dc=mydomain,dc=com
URI ldaps://localhost
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT allow
However, when I connect to the localhost, ldapsearch returns the following:
ldap_initialize( <DEFAULT> )
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/pki/tls/certs/978601d0.0 from CA certificate directory /etc/pki/tls/certs.
TLS: loaded CA certificate file /etc/pki/tls/certs/b69d4130.0 from CA certificate directory /etc/pki/tls/certs.
TLS certificate verification: defer
TLS: error: connect - force handshake failure: errno 0 - moznss error -12271
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
What do I have incorrect?
Best Answer
Check your server logs, but I believe your problem lies with
olcTLSVerifyClient: demand-- This is requiring that your client present a certificate to the server to authenticate itself during the handshake, and unless you have a certificate there (which is deemed acceptable by the server) you will not be allowed to connect.You may also want to peruse this site (or this one) which has details on OpenLDAP & TLS (SSL) -- Your configuration is a bit different than the examples I'm familiar with.