Can you ensure the account running openldap is able to read certificate and key ?
like sudo -u <openldap_user> cat <path_to_files> Sounds like the proxy is not able to send its certificate ________________________________ De : Fred N <[email protected]> Envoyé : jeudi 30 janvier 2025 11:05 À : [email protected] <[email protected]> Objet : RE: ldap proxy ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr. I remove the parameter (tls_cacertdir=/etc/ssl/certs) from idassert-bind config and result is : Client log (other ldap server) : ldapsearch -H ldap://ldap-proxy.fr -b "dc=appli,dc=test,dc=com" -D "dn" -w "pwd" ldap_bind: Server is unavailable (52) additionnal info: Proxy operation retry failed Proxy log: 679a61e2.1c43bb27 0x7f8d6cf56640 TLS trace: SSL3 alert read:fatal:unknown Backend log: 679b49c4.0aa74b3e 0x7f39e25fd6c0 TLS trace: SSL3 alert write:fatal:unknown 679b49c4.0aa76a7f 0x7f39e25fd6c0 TLS trace: SSL_accept:error in error 679b49c4.0aa79f9f 0x7f39e25fd6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate. 679b49c4.0aa7fcfb 0x7f39e25fd6c0 connection_read(11): TLS accept failure error=-1 id=1001, closing 679b49c4.0aa83473 0x7f39e25fd6c0 connection_closing: readying conn=1001 sd=11 for close 679b49c4.0aa86f6f 0x7f39e25fd6c0 connection_close: conn=1001 sd=11 >From client ldap, i want to query an LDAP backend via an LDAP proxy. I want >the query from the client to be unsecured with a simple authentication >(bindn), but the proxied communication between the LDAP proxy and the LDAP >backend to be secured through mutual TLS authentication via SASL EXTERNAL. my setup is not working at the moment.
