Windl, Ulrich wrote:
> Hi!
>
>
>
> Im trying to convert out rencreplc configurtation using plain authentication
> over TLS to external authentication using a user certificate.
>
> It almost works, but slapd is reporting connection_read(11): TLS accept
> failure error=-1 id=1002, closing and conn=1002 fd=11 closed (TLS
> negotiation
> failure) while I can connect using the certificate and peer with openssl
> s_client
Run slapd with debug output, -d -1.
>
>
>
> Openssl reports:
Nothing relevant.
>
>
> Somehow I suspect that the certificate being a user certificate (DN mapped to
> a user entry) is not acceptable in syncrepls tls_cert; can anybody confirm?
No. Any certificate can be used, and if it is signed by a trusted CA then it is
valid regardless of DN mapping.
> The problem is that Id like to trust a user certificate more than a host
> certificate for replication.
>
> And if Id use a host certificate, how could I authenticate the user being
> used to get the changes?
>
>
>
> I looked a lot around using popular search engines, but could not find a
> useful example that is complete enough.
>
>
>
> Let me remark at this point that the description of tls_reqsan is quite poor
> in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about Subject
> Alternate
> Name.
sAN is the well known abbreviation of Subject Alternative Name. This is
standard X.509 terminology.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
