Fedora Linux Support Community & Resources Center
Old 20th September 2011, 05:42 AM
vijays Offline
Registered User
Join Date: Aug 2011
Posts: 28
TLS/SSl client certificate creation for LDAP.

I am doing Configuration of LDAP on Fedora-10 machines. One running as ldap server with openldap-2.4.26 and other with pam_ldap-186 and nss_ldap-265.

I have created the certificates using CA.sh of openssl at the server side.

I followed the instruction given in the below link to create the certificates.


1. At the server side now i am able to do ldapsearch and ldapadd, as i have done the configuration in /usr/local/etc/openldap/ldap.conf.

BASE dc=samsung,dc=com
URI ldaps://localhost.localdomain/
TLS_CACERT /etc/pki/CA/cacert.pem

2.slapd.conf details for TLS are as follows

TLSCACertificatePath /etc/pki/CA/
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow

3. I have copied the "cacert.pem" which is CA and "newcert.pem" which is my server certificate to the client machine. I have copied these files to /etc/openldap/cacerts directory on client machine. and I have made the following configuration changes to "/etc/ldap.conf" file at the client side.

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cert /etc/openldap/cacerts/newcert.pem
pam_password md5
nss_map_attribute gecos description

When the "TLSVerifyClient allow" is specified in slapd.conf, I am able to login to the client machine properly, authentication is succesful. but when "TLSVerifyClient demand" and when I try to login to the client machine the authentication is failing.

I am getting the following error at the server side.

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate.
connection_read(12): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=12 for close
connection_close: conn=1005 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
conn=1005 fd=12 closed (TLS negotiation failure)

please let me know where i am making mistake? how can i correct this and make it work properly?

Thanks & Regards,
Vijay S.
Reply With Quote
Old 21st September 2011, 03:38 AM
vijays Offline
Registered User
Join Date: Aug 2011
Posts: 28
Re: TLS/SSl client certificate creation for LDAP.

I tried creating different certificate at client side, following the same steps which i did on server side, but still it didn't work.

the hostname is same I have taken care of this. both on client and server it is same and I have provided the same as common name during certificate creation.
Reply With Quote

certificate, client, creation, ldap, tls or ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Creation of Diskless workstation as a Citrix Client jayfitzpatrick Servers & Networking 1 22nd May 2009 10:14 PM
cisco vpn client with certificate vbelenky Servers & Networking 2 17th December 2007 02:25 AM

Current GMT-time: 05:39 (Saturday, 19-08-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat