Rogov Stepan <[email protected]> writes: > Hi there! > > I have openldap 2.4.21. I configured it with ssl(ldaps) and > "TLSVerifyClient demand". > > On the client side file /etc/openldap/ldap.conf contains the following: > TLS_CACERT /etc/ssl/servercert.ca.crt > TLS_CERT /etc/openldap/client.crt > TLS_KEY /etc/openldap/client.key > > But samba and ldap-standard tools (eg ldapsearch) don't connect to > ldap-server: > TLS trace: SSL3 alert read: fatal: handshake failure > TLS trace: SSL_connect: failed in SSLv3 read finished A > TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES: > sslv3 alert handshake failure. > ldap_err2string > ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1) > > If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use > variables $LDAP<uppercase option name>, then everything works fine. > I assume that options TLS_CERT and TLS_KEY aren't read from > /etc/openldap/ldap.conf. Correspondingly the server can not verify > client certificates. > But the manual says: > "Thus the following files and variables are read, in order: > variable $LDAPNOINIT, and if that is not set: > system file /etc/openldap/ldap.conf, > user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, > system file $LDAPCONF, > user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, > variables $LDAP<uppercase option name>. > Settings late in the list override earlier ones."
If you read ldap.conf(5) carefully you will read: Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF). And it is logical that TLS_CERT and TLS_KEY are not global configuration parameters but only user specific parameters. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
