[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Why TLS is always fail with OpenLdap 2.4.11


"Hunter hu" <hunter.wxhu@gmail.com> writes:

> Hi,
> I have to get help from here , because I was struggling with TLS
> configuration  for weeks.
> during those days , I searched google include this list , still cant pass ,my
> god.
> Does anyone could provide some guide on how to configure the openldap TLS
> connection with step by step, so can reduce our pain ?
> Here I expose the step and try to get help from the senior ldap engineer.
> 1. installed openldap with-tls=openssl
> I add the openssl specially to avoid use gnutls, sometimes, openldap will goto
> find gnutls if c header is there
> install and start slapd succesfully.
> 2. using  ldapsearch -v -h   -b "dc=example,dc=com" -s base
> "objectclass=*"
> I can get the listed information from openldap server, that is ok
> 3. now go for certificate genearation with numerous guide in google , but not
> fit to pass for me
> 3.1 cd /var/myca
>       /usr/local/ssl/misc/CA.sh -newCA
> then will generate demoCA, and cacert.pem  is there, that is ok
> 3.2  /usr/local/ssl/misc/CA.sh -newreq
>      newkey.pem  newreq.pem

on this stage you should only have a newreq.pem no key yet

>     notes : I am using as the common name, is there any issue
> here?

Not if you only call the host by this ip number
> 3.3  /usr/local/ssl/misc/CA.sh -sign
>          then you got newcert.pem

you have to extract the key first

openssl rsa in newreq.pem -out newkey.pem

> now copy into /var/ldap and try to insert into slapd and restart
> TLSCipherSuite MEDIUM:+TLSv1+SSL3+SSL2
> TLSCertificateFile /var/ldap/newcert.pem
> TLSCertificateKeyFile /var/ldap/newkey.pem  ( some guide said should be
> newreq.pem)
> TLSCACertificateFile /var/ldap/cacert.pem
> 4. ftp cacert.pem into client and copy into /var/myca
> using s-client to test at first
> penssl s_client -connect -showcerts -state -CAfile /var/myca
> /cacert.pem -tls1
>  you will got  the error always

This would not work, you have to start slapd with -h ldaps:/// and
connect openssl to port 636


Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535