I inherited an openldap installation and am trying to set up a copy of the
database on a test server so I can experiment with it. I copied the
slapd.conf file from the production machine and made the minimal
modifications I had to to get it to work. The production server is running
the debian etch version of slapd, 2.3.30 and the test server is running
lenny's slapd, 2.4.11. One line that I had to comment out was
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really
puzzles me is that the second line is supposed to be the default and even
that doesn't work. If I leave them commented out, slapd starts and I can
query the database via ldapsearch specifying the -ZZ option or by specifying
ldaps.
$ ldapsearch -x -ZZ uid=jheim
$ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim
Both of those searches work. I'm using a cert from cacert.org. But it
appears to like the cert because the -ZZ works and ldaps works. I even ran
ldapsearch with the -d1 option and saw nothing unusual about the certs. The
only unusual line in the log is this:
Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1