On Sun, 2016-04-03 at 18:09 +0200, Graham Leggett wrote:
> Hi all,
>
> I have a 389ds v1.3.4 server as deployed by CentOS7 configured with SSL/TLS to
> require client certificates.
>
> Attempts to connect to this server using "openssl s_client" fail, and the
> failure is triggered by the 389ds server side as follows:
>
> 4 4 0.0079 (0.0009) S>CV3.3(2) Alert
> level fatal
> value bad_certificate
> 4 0.0080 (0.0000) S>C TCP FIN
>
> Unfortunately the error log on the 389ds server is dead silent on this issue,
> and without a sensible error message it is making debugging this very
> difficult.
>
> What mechanism must I use to enable any kind of logging inside 389ds that will
> indicate why a particular SSL/TLS connection is being rejected?
>
I believe that in the slapd access log by default you can see details about why
the authentication was failing. It will show you details about this:
>> [02/Feb/2016:18:34:00 +1000] conn=2721 fd=77 slot=77 SSL connection from
>> 2001:db8::5054:ff:fe89:97e2 to 2001:db8::5054:ff:fe89:97e2
>> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 128-bit AES-GCM; client CN=CA
>> Subsystem,O=IPA.EXAMPLE.COM; issuer CN=Certificate
>> Authority,O=IPA.EXAMPLE.COM
>> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 failed to map client certificate
to
>> LDAP DN (Could not matching certificate in User's LDAP entry)
>> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 BIND dn="" method=sasl version=3
>> mech=EXTERNAL
>> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 RESULT err=49 tag=97 nentries=0
>> etime=0
Additionally, using the ldapsearch command with highlevels of debugging may help
also.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
No comments:
Post a Comment