[Date Prev][Date Next]
Re: OpenLDAP starts, but...
--On Wednesday, March 16, 2005 1:26 AM -0300 Pupeno <email@example.com>
(And, before you
add TLSCipherSuite/TLS_CIPHER_SUITE back into to your OpenLDAP
configuration, you test with -cipher first.)
I wouldn't know what set of ciphers to use, I've tried the ones defined
by Apache (which works) and several examples from the internet. Nothing
And, if that doesn't help, example other settings. You
should be able to translate your s_client/s_server success
to ldapsearch/slapd success. There is a direct relationship
between s_client/s_server options and ldapsearch/slapd
Well, in that case, I could say that the defaults work for
s_client/s_server and not for ldapsearch/slapd.
After getting a login to pupeno's system, and doing a ton of debugging, I
started looking closely at the client cert output, and compared it to my
client cert output. After several comparisons, I finally noticed that
Pupeno's cert was created with a key that used DSA encryption, whereas my
cert was created with a key using RSA encryption. I noticed that the
cacert.org CA cert was also created with a key using RSA encryption. I
then had Pupeno create a new key with RSA encryption, and then order a new
cert from cacert.org. The new cert/key combo worked immediately.
So, avoid DSA for your key generation is the lesson here I think.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin