0

My LDAP server's ldap.conf file

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=coretesting,dc=com
URI     ldap://ldap.coretesting.com #ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_REQCERT demand
TLS_CACERTDIR /etc/ssl/certs/
TLS_CACERT      /etc/ssl/certs/cacert.pem    
TLS_CERT /etc/ssl/certs/slapd01.pem
TLS_KEY /etc/ssl/private/slapd01_key.pem
#TLS_CRLCHECK all
#TLS_PROTOCOL_MIN 3

Whenever my client tries to connect with the server first time alone ldap_start_tls_s fails.

Error code ldap_start_tls: Connect error (-11)

The second time onwards it is working fine.

I know that TLS_REQCERT demand data on ldap.conf file can resolve this error.

When we try to use a secured connection there is no meaning of providing other than demand option.

If any experts know the root cause or solution please let me know.

Regards, Ram

ram ajay
  • 11
  • 2
  • AFAIK `TLS_REQCERT` is directive in client config, not server – Romeo Ninov Jun 23 '23 at 07:05
  • Hi @RomeoNinov, – ram ajay Jun 23 '23 at 07:08
  • Thank you for your quick response, As per my understating to avoid unauthenticated users and to improve security on server side we are providing demand option on server. If we provide other than demand option whoever know user name and server they can also try to connect with server right. Could you please correct if my understanding is wrong. – ram ajay Jun 23 '23 at 07:09
  • kindly refer belwo link and refer to following section https://www.openldap.org/doc/admin24/tls.html16.2.1.9. TLSVerifyClient { never | allow | try | demand } – ram ajay Jun 23 '23 at 07:12
  • Please check https://www.openldap.org/doc/admin21/tls.html The directive for server is `TLSVerifyClient` – Romeo Ninov Jun 23 '23 at 07:13
  • 1
    Now i got your point. TLSVerifyClient is configuration on server side and TLS_REQCERT is client side is your point right. In my case both I had configured as demand only. Very first time alone my client couldn't able to connect with server. Second time onwards able to connect successfully. – ram ajay Jun 23 '23 at 07:18

0 Answers0