Re: Getting SSL/TSL to work

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Pupeno writes:
> Now I'm trying to use that certificate for LDAP, I configured it this
> way:
>
> TLSCipherSuite HIGH:MEDIUM
> TLSCertificateFile /etc/certificates/server.crt
> TLSCertificateKeyFile /etc/certificates/server.key

The server may also needs the certificates of recognized Certificate
Authorities; at least the CA certificate which signed the server
certificate.  I.e.
       TLSCACertificateFile <filename>
       TLSCACertificatePath <path> in slapd.conf.  See 'man slapd.conf'
or the OpenLDAP Admin Guide;
<http://www.openldap.org/doc/admin22/tls.html>.  Possibly that is not
true for very old versions; I don't see it in the man page for RedHat's
ancient OpenLDAP 2.0.27.  Similarly, put TLS_CACERT or TLS_CACERTDIR in
ldap.conf so the clients can verify the server certificate, though that
does not affect slapd startup.

If that's not it, check that the user which slapd runs as (e.g. if you
use slapd -u <user>) has read access to the certificate and key files.

> Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97
> (Address family not supported by protocol)
> Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97
> (Address family not supported by protocol)

These probably come from attempts to open 'ldap:///' and 'ldaps:///'
URLs with both IPv4 and IPv6, while only IPv4 is enabled on your host.
If so they are harmless, but you can can suppress them by only
attempting to use IPv4, with the slapd -4 option.  (Or I suppose it
could be the other way around, with only IPv6 and not IPv4 is enabled:-)

-- 
Hallvard