Solaris LDAP client - TLS client authentication against OpenLDAP server
in [Solaris]
|
From: Egrama on 19 Apr 2010 05:07 Hi all, I'm not sure if here is the best place to post this LDAP related question, bu I'll give it a try. I managed to configure a Sun native LDAP client to use a OpenLDAP server using TLS and proxy authentication. I want to use the option "TLSVerifyClient demand" in slapd.conf: this means that each client connecting to the server via TLS has to present a certificate signed by a CA the server recognizes. ) I have this working with linux clients) I understood that Solaris client keeps the certificate informations and keys in /var/ldap/ I used certutil to obtain the keys in the following way: 1 certutil -N -P /var/ldap/ - create new database 2 certutil -R -a -s "CN=ldapclient.domein.tld, O=...." -o /tmp/ ldapclient.req - generate a cert request 3 openssl -ca -policy policy_anything -out ldapclient.pem -infiles ldapclient.req - use the CA to sign the certificate 4 use certutil -A ... to add this signed certificate, the CA certificate and the ldap server cert with the appropriate flags Here is the output of the certutil -L -d /var/ldap : ldapclient.domain.tld u,u,u CAcert CT,, ldapserver.domain.tld P,, However, the LDAP server refuses to authenticate the requests from ldapclient: I get "TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2505" which is consistent with a wrong certificate. If I remove the TLSVerifyClient option from the server config, everything works smoothly over TLS. Can anybody help please? Thanks, Emil
From: Egrama on 1 May 2010 03:18 I opened a support call with Sun. According to them the client does not have the ability to authenticate itself to the server. I will use proxy authentication. On Apr 19, 12:07 pm, Egrama <egr...(a)gmail.com> wrote: > Hi all, > > I'm not sure if here is the best place to post thisLDAPrelated > question, bu I'll give it a try. > > I managed to configure a Sun nativeLDAPclient to use a OpenLDAP > server using TLS and proxy authentication. > I want to use the option "TLSVerifyClient demand" in slapd.conf: this > means that each client connecting to the server via TLS has to present > a certificate signed by a CA the server recognizes. ) I have this > working with linux clients) > > I understood that Solaris client keeps the certificate informations > and keys in /var/ldap/ > I used certutil to obtain the keys in the following way: > > 1 certutil -N -P /var/ldap/ - create new database > 2 certutil -R -a -s "CN=ldapclient.domein.tld, O=...." -o /tmp/ > ldapclient.req - generate a cert request > 3 openssl -ca -policy policy_anything -out ldapclient.pem -infiles > ldapclient.req - use the CA to sign the certificate > 4 use certutil -A ... to add this signed certificate, the CA > certificate and theldapserver cert with the appropriate flags > Here is the output of the certutil -L -d /var/ldap: > > ldapclient.domain.tld > u,u,u > CAcert CT,, > ldapserver.domain.tld P,, > > However, theLDAPserver refuses to authenticate the requests from > ldapclient: > I get "TLS: error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > s3_srvr.c:2505" which is consistent with a wrong certificate. > > If I remove the TLSVerifyClient option from the server config, > everything works smoothly over TLS. > > Can anybody help please? > Thanks, > Emil
|
Pages: 1 Prev: No Luck Installing FireFox 3.6.3 Either Next: autofs /export/home does not map |