[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to configure tls and ldap



On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
> Hi,
>
> I am trying to configure openldap and tls
> I am following instructions however, I can not start slapd
> http://www.openldap.org/faq/data/cache/185.html
>
> My cn\=config.ldif
>
> olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem
> olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem
> olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem

[...]

> However there is nothing in log :(
>
> Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25
> 2008 00:04:08) $ ^Ibuildd@yellow
>
> :/build/buildd/openldap-2.4.11/debian/build/servers/slapd
>
> Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
> Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped.
> Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to
> destroy.



The most common cause for this error message in my experience, is:
-Path to certificates or key is wrong
-The user slapd runs as cannot access the certificates or keys
-The certificates or keys are in the wrong format

So, I would do this to test:

su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in 
/etc/ldap/ssl/newcert.pem'

su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in 
/etc/ldap/ssl/demoCA/newreq.pem'


(replace the user - 'ldap' in this case - with the username your slapd runs 
as).

However, it's probably not the best idea to configure slapd to find the certs 
or keys in the demoCA directory (if you sign another cert on that box, you 
will probably overwrite those files).

(The FAQ entry could also consider recommending to place the SSL key in a 
different file than the CSR ....)

(It may also be worthwhile adding an FAQ entry on this, with the error 
message, as googling the error message doesn't turn up and good answers, just 
bad questions ...)

Regards,
Buchan