Hello everyone, I hope Im at the right place for these kind of question, please tell me if I’m wrong.
I just installed openldap as a proxy for AD.
The proxy in itself works fine, I have made a few ldapsearch and got result I was expecting.
Now I want to add TLS to it for security reason.
I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with gnutls which I don’t know much about
I would have preferred it to be built with openssl.
So Im trying to make TLS work so I added these to slapd.conf
TLSCipherSuite HIGH:!NULL
TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls
TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem
TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem
TLSVerifyClient never
security ssf=128
I also used certtool (gnutls tool) to validate my certificate
I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in itself is okay.
certtool -e --infile certificate_chain.cer.pem.gnutls
Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
I can also verify the whole chain if I make a file containing the 3 certs, CA, Intermediate and Server
certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1
Loaded 3 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Verified. The certificate is trusted.
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local
Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
Checked against: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
Patrick Ouellet
Administrateur Linux
Operation
VPSI
Groupe Promutuel
2000, boulevard Lebourgneuf, 4e étage, Québec (Québec) G2K 0B6
418 840-1188, poste 2393 / 1 800
510-4630
418 840-9900
Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas le destinataire de ce message, veuillez le détruire après avoir informé l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance n'assume aucune responsabilité à l'égard du contenu des messages personnels envoyés par ses employés.
If you need to print this document, please print it double-sided. If you are not the intended recipient of this message, please notify the sender of the error and destroy the message. Please further note that it is prohibited to copy or modify any email without the author’s permission. Promutuel Insurance accepts no liability whatsoever with regard to the content of personal messages sent by its employees.