[Samba] TLSVerifyClient demand or try

Peter Nyberg Peter.Nyberg at dbb.su.se
Tue Mar 8 08:45:10 GMT 2005 



Quoting Gavin Henry <ghenry at suretecsystems.com>:

> <quote who="Peter Nyberg">
> > Quoting Gavin Henry <ghenry at suretecsystems.com>:
> >
> >> Hi,
> >>
> >> ldapsearch, using -ZZ, requires -h ldap.yourhost.com, hence:
> >
> >
> > Hi and thanks for your answere.
> > Of course I did the following
> > ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se' '(objectclass=*)'
> > ldap_bind: Can't contact LDAP server (81)
> > And I tried:
> > ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)'
> > ldap_bind: Can't contact LDAP server (81)
> >
> > If I change to "TLSVerifyClient allow" I get in the end:
> > ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se' '(objectclass=*)'
> >
> > Outputends with:
> > # testuser1, Users, dbb.su.se
> > dn: uid=testuser1,ou=Users,dc=dbb,dc=su,dc=se
> > objectClass: top
> 
> > ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)'
> >
> > Output end with:
> > # testuser1, Users, dbb.su.se
> > dn: uid=testuser1,ou=Users,dc=dbb,dc=su,dc=se
> 
> Do you have the cacert installed on the clients?
> 
> I never use the TLSVeriftyClient option, but according to:
> 
> http://www.openldap.org/doc/admin22/tls.html
> 
> with the allow option, if the client doesn't have the cert installed, the
> search proceeds as normal, but you must have, as a -ZZ option, only
> returns results on a successful search.
> 
> 
Thanks again!
I did the ldapsearch on my server. Doesn't ldapsearch use /etc/ldap/ldap.conf.
If I use "TLSVeriftyClient allow" and change the fqdn to localhost instead I get
an error in certificate:
ldap.conf
##HOST s2.dbb.su.se
HOST 127.0.0.1 
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,sc=su,dc=se

nss_base_passwd         dc=dbb,dc=su,dc=se?sub
nss_base_shadow         dc=dbb,dc=su,dc=se?sub
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nss/nssldap.pem
tls_key /etc/nss/nssldap.key

ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se' '(objectclass=*)' -d 1
ends up with:

TLS: hostname (127.0.0.1) does not match common name in certificate (s2.dbb.su.se).
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: TLS: hostname does not match CN in peer certificate

But if I use your sugestion from yesterday:
 ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)' -d 1
I don' get any error messages.

The big thing is I'm not even sure if TLS works since the "allow" option works
with or without TLS. If I use "demand" nothing works. Evidently it reads the
certificate:
TLS: hostname (127.0.0.1) does not match common name in certificate

I'm very confused. Is there a nother way of testing TLS?

Here's the howto I used:
http://www.idealx.org/prj/samba/smbldap-howto.en.html

More information about the samba mailing list