On Sun, 2016-04-03 at 18:09 +0200, Graham Leggett wrote: > Hi all, > > I have a 389ds v1.3.4 server as deployed by CentOS7 configured with SSL/TLS to > require client certificates. > > Attempts to connect to this server using “openssl s_client” fail, and the > failure is triggered by the 389ds server side as follows: > > 4 4 0.0079 (0.0009) S>CV3.3(2) Alert > level fatal > value bad_certificate > 4 0.0080 (0.0000) S>C TCP FIN > > Unfortunately the error log on the 389ds server is dead silent on this issue, > and without a sensible error message it is making debugging this very > difficult. > > What mechanism must I use to enable any kind of logging inside 389ds that will > indicate why a particular SSL/TLS connection is being rejected? > I believe that in the slapd access log by default you can see details about why the authentication was failing. It will show you details about this: >> [02/Feb/2016:18:34:00 +1000] conn=2721 fd=77 slot=77 SSL connection from >> 2001:db8::5054:ff:fe89:97e2 to 2001:db8::5054:ff:fe89:97e2 >> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 128-bit AES-GCM; client CN=CA >> Subsystem,O=IPA.EXAMPLE.COM; issuer CN=Certificate >> Authority,O=IPA.EXAMPLE.COM >> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 failed to map client certificate to >> LDAP DN (Could not matching certificate in User's LDAP entry) >> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 BIND dn="" method=sasl version=3 >> mech=EXTERNAL >> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 RESULT err=49 tag=97 nentries=0 >> etime=0 Additionally, using the ldapsearch command with highlevels of debugging may help also. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
