[Date Prev][Date Next] [Chronological] [Thread] [Top]


I have to add one more thing. It appears that with the proper certs specified in slapd.conf, no -h ldaps:/// is needed to make TLS available over port 389. My command line is now:
/usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf

and TLS is available. I don't think the man page or faq makes this clear. I've added a note to the faq


Greg Martin wrote:
Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:

I was using:
(Note the extra underscore)


I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.

I had the following in slapd.conf & ldap.conf
(which I cut & pasted from 'openssl cipers')

replaced it with
It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.

So a couple questions that don't need answers:
- would there be value in making the slapd.conf & ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?

And one more. In the man page for slapd, there is this explanation for the -h option
-h URLlist
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap:// ldaps:/// ldapi:///", it will listen on for LDAP, for LDAP over TLS,

The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"

I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postId=107

BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.


Greg Martin wrote:
I know there are a lot of question on this topic and ask for your patience.

I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read

slapd v2.3.27

When I look at netstat -an ports 389 & 636 are listening:
tcp 0 0* LISTEN
tcp 0 0* LISTEN

slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACertificateFile /var/data/ca/cacert.pem TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never

Reading through the strace output shows that the cacert & certfile are being opened.

BASE    dc=gmartin, dc=org
URI    ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem

TLS_CACERT /var/data/ca/cacert.pem

When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure

And using slapd debug I see:
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97

I checked the FAQ and I think I've looked at everything there. Not sure where to look next.