Hi, I use TLS for ldap clients to authentify the ldap server. I've created a self signed CA as well as the server certificate with openssl. The CA is known on the client side (aka : TLS_CACERT in ldap.conf).
Since I'm using multimaster mode, I also have been able to tell the servers to authenticate between them for synchronisation (starttls=yes and tls_cacert=/.../CA.crt in olcSyncrepl) --> Ok : all this works fine for me. I now try to bind openldap using a user certificate ( with a subject apporiately matching the user ldap entry, and signed with with the same CA that is also known by the server (aka: olcTLSCACertificateFile) ). I have told the server to attempt to verify the client (olcTLSVerifyClient: try) and I have declared my user certificate files in my ~/.ldaprc : TLS_CERT /home/olivier/certs/my.crt TLS_KEY /home/olivier/certs/my.key Result : I don't manage to bind the server (I tried ldapsearch -ZZZ -Y external) Where am I wrong ? Note : On the server side, I don't manage to see the TLS transactions in the logs, is there any loglevel one would could recommend ? On the client side, I don't see my certicates to be red by ldapsearch (aka : ldapsearch -d1). Any help ? Thanks --- Olivier
