I'm trying to setup a replication with a certificate based authentication between
supplier and consumer. The certificates in the certdb at /etc/dirsrv/slapd-XXX contain the
very same CA with which the respective server certificates in the certdbs have been
signed. The certificates all have the 'u' flag, and the CA has the C and T flag.
The replication (on the supplier) has been setup such that TLS and certificate based
authentication is used, see extract from the replication agreement object:
objectclass: nsds5ReplicationAgreement
nsds5replicahost: <consumer-hostname>
nsds5replicaport: 389
nsds5replicatransportinfo: TLS
nsds5replicabindmethod: SSLCLIENTAUTH
Trying to initialize the consumer raises this error in the error-log of the supplier (the
host sending the starttls connection request):
Replication bind with EXTERNAL auth failed: LDAP error 48 (Inappropriate authentication)
(missing client certificate)
The certificate that the server should have sent can, however, be used with the ldap
commandline tools as ldapsearch. In this case a wireshark trace clearly shows that the
client sends the certificate during the TLS handshake, while in the above case it
doesn't.
The TLS handshake defines that the client has to send an "empty certificate" if
it does not have a certificate that has been issued by a CA offered by the server during
the handshake. I can't see a reason for the client to think the condition isn't
met. The certificate with which the server (supplier) is setup is the only one available.
Is it possible that the server does not know which certificate it has to use for
authentication with the consumer server? And if so, how do I make the server know?
The 389-ds in use is the version 1.4.1.6~git0.5ac5a8aad. The problem was the same with
1.4.0.3.
Thanks,
Eugen