[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSCipherSuite crashes slapd

John G. Heim wrote:
I inherited an openldap installation and am trying to set up a copy of the
database on a test server so I can experiment with it. I copied the
slapd.conf file from the production machine and made the minimal
modifications I had to to get it to work. The production server is running
the debian etch version of slapd, 2.3.30 and the test server is running
lenny's slapd, 2.4.11. One line that I had to comment out was

Most likely Debian lenny's slapd was built with GnuTLS, not OpenSSL. Read the slapd.conf(5) manpage that accompanies the lenny build; it will tell you how to get the set of valid cipher suites for GnuTLS. They're (obviously) not the same as for OpenSSL.


I also tried this (which is supposed to be the default):

#TLSCipherSuite          ALL:!ADH

If I uncomment either of those lines, slapd will not start.   What really
puzzles me is that the second line is supposed to be the default and even
that doesn't work. If I leave them commented out, slapd starts and I can
query the database via ldapsearch specifying the -ZZ option or by specifying

$ ldapsearch -x -ZZ uid=jheim
$ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim

Both of those searches work.  I'm using a cert from cacert.org. But it
appears to like the cert because the -ZZ works and ldaps works. I even ran
ldapsearch with the -d1 option and saw nothing unusual about the certs. The
only unusual line in the log is this:
Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/