[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS init def ctx failed: -1
François Mehault wrote:
Hi all
I contact you because I don’t succeed to configure my OpenLDAP with TLS.
First I create self signed certificate server.pem like I read on this
page http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#5.1.1 in
/usr/local/etc/openldap/tls.
You should not have done that. The steps in section 4.1 of that document (Self
Signed Certificate) violate most of the best practices for certificate
management. I have asked that this section be removed from the document, it
should be disappearing from the web site soon.
|*openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 365*|
This is a terrible way to generate a server certificate. Instead you should
generate a CA, following the steps in (the current) section 4.2.
|* *|
Then I add this line in slapd.conf :
TLSCertificateFile /usr/local/etc/openldap/tls/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem
TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem
TLSVerifyClient never
Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.
And in my /var/log/debug.log I have
Jul 2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1
Jul 2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system
resources.
Jul 2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001
Jul 2 12:18:39 labobe2 slapd[97816]: slapd stopped.
I use FreeBSD 7.
If someone can help me, I appreciate, thanks in advance
Use "rc.d/slapd start -d -1" and see what error messages are printed on
stderr. syslog is useless for diagnostics.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/