[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS issue

To: Dan White <dwhite@olp.net>
Subject: Re: TLS issue
From: "E.S. Rosenberg" <esr+openldap@g.jct.ac.il>
Date: Thu, 4 Aug 2011 19:46:14 +0300
Cc: Naga Chaitanya Palle <Naga.Chaitanya@aricent.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <20110804153333.GA4642@dan.olp.net>
References: <4A4577058A416A4B979BCD934AD213D018033A@GUREXMB02.ASIAN.AD.ARICENT.COM> <20110804153333.GA4642@dan.olp.net>

2011/8/4 Dan White <dwhite@olp.net>:
> On 04/08/11Â19:53Â+0530, Naga Chaitanya Palle wrote:
>>
>> I am trying to configure tls for my ldap server.
>> After successfully creating the below files, I try to start the ldap
>> server and it fails.
>>
>> /etc/openldap/cacerts/cacert.pem
>> /etc/openldap/cacerts/slapd-cert.pem
>> /etc/openldap/cacerts/slapd-key.pem
>>
>> The log shows the below messages
>>
>> main: TLS init def ctx failed: -1
>> slapd stopped.
>> connections_destroy: nothing to destry.
>
> What command line options are you passing to slapd? What version? What ssl
> library is your slapd linked against?
>
> Do you get any helping information while starting slapd in debug mode '-d
> -1'?
>
>> Slapd.conf
>>
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
Try removing this line, if I'm not mistaken it's according to openssl
syntax while openldap is (usually) compiled against gnu-tls which uses
a different syntax.
Also SSLv2 is generally not considered secure so unless you have some
apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn
SSLv2 of.
>> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
>> TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
>> TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
>
> Does your openldap user/group have read access to all three files?
> Does commenting out your 'TLSCipherSuite' option make any difference?
Are your certs self-signed or from a CA?
Did you make sure that the private key cert (and the other certs too?)
are not stored encrypted (-nodes switch in openssl).
>
>> database Â Â Â Â bdb
>> suffix Â "dc=comverse-in,dc=com"
>> rootdn Â "cn=Manager,dc=comverse-in,dc=com"
>> rootpw Â {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
You may want to change your password since you have posted the hash
(and also your domain) it is now possible to start brute forcing (or
use rainbow tables) the hash and since the domain where this hash was
used is known (and at least the LDAP username) that is a big security
leak.

Other than that version info  and debug info (as Dan asks) is always
good to provide when you have a question.
Regards,
Eli
>>
>> /etc/openldap/ldap.conf
>> BASE Â Â dc=comverse-in,dc=com
>> URI ldaps://devonly144.comverse-in.com
>>
>> TLS_CACERT Â Â/etc/openldap/cacerts/cacert.pem
>> TLS_CACERTDIR /etc/openldap/cacerts
>> TLS_REQCERT Â Â allow
>>
>> /etc/ldap.conf
>> base Â Â dc=comverse-in,dc=com
>> uri ldaps://devonly144.comverse-in.com
>> ssl on
>
> --
> Dan White
>
>

Follow-Ups:
- Re: TLS issue
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- TLS issue
  - From: Naga Chaitanya Palle <Naga.Chaitanya@aricent.com>
- Re: TLS issue
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: TLS issue
Next by Date: Re: OpenLDAP freezes and doesn't respond
Index(es):
- Chronological
- Thread