[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with openldap2.1.4 and TLS/SSL

To: OpenLDAP-software@OpenLDAP.org
Subject: Problems with openldap2.1.4 and TLS/SSL
From: Stefan Wurzinger <stefan.wurzinger@greengecko.org>
Date: Mon, 23 Sep 2002 21:40:51 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615 Debian/1.0.0-3

Dear Sirs,

I've installed openldap-2.1.4, openssl-0.9.6g and db-4.0.14 on a debian woody.

if i run following commands i got this errors

mydebian:/home/ra# /usr/local/libexec/slapd -h "ldap:/// ldaps:///"

mydebian:/home/ra# ldapsearch -H ldap://localhost -p 389 -x -b "" -s base -LLL -ZZ ldap_start_tls: Connect error (91) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

mydebian:/home/ra# ldapsearch -H ldaps://localhost -p 636 -x -b "" -s base -LLL ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

i found this in the syslog Sep 23 21:18:40 mydebian slapd[654]: daemon: conn=3 fd=10 connection from IP=127.0.0.1:1634 (IP=0.0.0.0:389) accepted. Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): checking for input on id=4 Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): TLS accept error error=-1 id=4, closing Sep 23 21:18:45 mydebian slapd[654]: connection_closing: readying conn=4 sd=10 for close

i have read the tls/ssl section of the faq, but nothing helps. please help me!

now i will descript you, how i installed my system.

i installed the berkeleydb with the following options
../dist/configure --enable-shared --enable-cxx

i added to /etc/ld.so.conf the line /usr/local/BerkeleyDB.4.0/lib, then i run ldconfig

i installed openssl
./configure shared --prefix=/usr --openssldir=/usr/lib/ssl

i installed openldap CPPFLAGS="-I/usr/local/BerkeleyDB.4.0/include" LDFLAGS="-L/usr/local/Berkeley.4.0/lib" ./configure --with-wrappers --disable-ipv6 --enable-debug --enable-syslog --without-cyrus-sasl --without-kerberos --with-tls --enable-bdb --enable-ldbm


i've create the certificate with the following arguments
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365

Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:GRAZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*localhost*
Email Address []:stefan.wurzinger@greengecko.org

------------------------------- my slapd.conf ------------------------------------------------------ include /usr/local/etc/openldap/schema/core.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#debug modes
loglevel -1

#TLS/SSL
TLSCertificateFile      /usr/local/etc/openldap/server.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/server.pem
TLSCACertificateFile    /usr/local/etc/openldap/server.pem

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "dc=localhost"
rootdn          "cn=Admin,dc=localhost"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

#####
#ACCESS CONTROLL
#####
#read access for everyone
access to * by * read

access to attr=userPassword
         by self write
         by anonymous auth
         by dn="cn=Admin,dc=localhost" write
         by * none

access to * by self write by dn="Admin,dc=localhost" by * read ---------------------------------- end slapd.conf ----------------------------------

---------------------------------- my ldap.conf ------------------------------------ HOST 127.0.0.1 BASE dc=localhost SSL yes ---------------------------------- end ldap.conf ------------------------------------

please help me.

yours faithfully

Stefan

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Stefan Ignaz Wurzinger ~ stefan.wurzinger@greengecko.org ~
~ www.greengecko.org     ~ Project Groupe of Students      ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Follow-Ups:
- Re: Problems with openldap2.1.4 and TLS/SSL
  - From: "Frank Swasey" <Frank.Swasey@uvm.edu>

Prev by Date: API Libs and the v3 Protocol
Next by Date: Re: API Libs and the v3 Protocol
Index(es):
- Chronological
- Thread