[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/TLS main: TLS init def ctx failed: -207

To: openldap-software@openldap.org
Subject: Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
From: Technical Home <technicalhome@aliceadsl.fr>
Date: Wed, 28 Jan 2009 00:26:37 +0100
In-reply-to: <200901252050.32358.walk2sun@arcor.de>
References: <497CA9D1.4080603@aliceadsl.fr> <200901252050.32358.walk2sun@arcor.de>
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Harry Jede a écrit :

Am Sonntag, 25. Januar 2009 19:05 schrieb Technical Home:
Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 .
So I create a CA and a signed certificate by this CA. This point
seems to be ok :
---------------------------------------------------------------------
----------------------------------------------------------------------
----------- root@SERVER:~# openssl verify -CAfile
/etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt
/etc/ssl/certs/SERVER.crt: OK
---------------------------------------------------------------------
----------------------------------------------------------------------
-----------
And i add it to my slapd configuration with following commands as
specified in the ubuntu documentation
(https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#open
ldap-configuration)
---------------------------------------------------------------------
----------------------------------------------------------------------
----------- root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config"
---------------------------------------------------------------------
----------------------------------------------------------------------
-----------
But when restarting slapd, I always obtain this output : --------------------------------------------------------------------- ---------------------------------------------------------------------- ----------- root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap d main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy. --------------------------------------------------------------------- ---------------------------------------------------------------------- -----------

I search all my sunday long what could be this "main: TLS init def ctx failed: -207" but I was not able to find what causes it. In openssl file ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean that it (slapd or openssl ?) can't verify my certificate string, but I just verified before my certificate with the openssl command which told it is OK. I'm lost. Can you help me ?
May be,
try
 ldd $(which slapd)
you may see, that slapd is build with gnutls and not openssl :-)
You have two different solutions to fix this:
1. use the tool certtool from gnutls in package gnutls-bin. doc is in gnutls-doc or use the doc from the qemu/kvm packages and look their for vnc.

2. create a copy of /etc/ssl/certs/cacert.pem and reorder your certificates. gnutls expects just the opposite order as openssl :-(

Thanks in advance, Regards, Gilles

Thanks again Harry ! You are right, I followed gnutls.pdf documentation and this link : http://www.linuxsecurityforum.org/f5/how-to-create-a-certificate-authority-and-gnutls-t100.html

And here we go ^^ :

----------------------------------------------------------------------------------------------------------------
root@SERVER:~# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.
root@SERVER:~# nmap localhost

Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-28 00:05 CET
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 1711 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.205 seconds
root@SERVER:~# nmap 192.168.1.200

Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-28 00:05 CET
Interesting ports on 192.168.1.200:
Not shown: 1711 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.203 seconds
----------------------------------------------------------------------------------------------------------------

But is gnutls using new in OpenLDAP ? Hard to find this by Google. Ubuntu documentation refers to openssl despite the documentation update for ubuntu 8.10 intrepid version : https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-configuration

But thanks again Harry, now I will sleep better I think.
U won a virtual french beer ! ^^

Bye
Gilles

Follow-Ups:
- Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
  - From: Howard Chu <hyc@symas.com>

References:
- OpenLDAP/TLS main: TLS init def ctx failed: -207
  - From: Technical Home <technicalhome@aliceadsl.fr>
- Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
  - From: Harry Jede <walk2sun@arcor.de>

Prev by Date: RE: password policy - alternate lockout mechanism
Next by Date: Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
Index(es):
- Chronological
- Thread