[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Having issue with openldap with TLS as a AD proxy
- To: openldap-technical@openldap.org
- Subject: Re: Having issue with openldap with TLS as a AD proxy
- From: Dieter Klünter <dieter@dkluenter.de>
- Date: Sat, 3 Dec 2016 22:43:28 +0100
- In-reply-to: <F9900C08972A3E4BBFAFB7E7623DF1F09A4533B9@P01MBX0002.promutuel.local>
- Organization: AVCI
- References: <F9900C08972A3E4BBFAFB7E7623DF1F09A4533B9@P01MBX0002.promutuel.local>
Am Fri, 2 Dec 2016 12:17:07 +0000
schrieb <Patrick.Ouellet@promutuel.ca>:
> Hello everyone, I hope Im at the right place for these kind of
> question, please tell me if I’m wrong.
>
> I just installed openldap as a proxy for AD.
> The proxy in itself works fine, I have made a few ldapsearch and got
> result I was expecting.
>
> Now I want to add TLS to it for security reason.
>
> I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s
> built with gnutls which I don’t know much about I would have
> preferred it to be built with openssl.
>
> So Im trying to make TLS work so I added these to slapd.conf
>
> TLSCipherSuite HIGH:!NULL
> TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls
> TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem
> TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem
> TLSVerifyClient never
> security ssf=128
>
> I also used certtool (gnutls tool) to validate my certificate
>
> I can verify my certificate_chain.cer.pem.gnutls with certtool so the
> file in itself is okay.
>
> certtool -e --infile certificate_chain.cer.pem.gnutls
> Loaded 2 certificates, 1 CAs and 0 CRLs
>
> Subject: C=CA,ST=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer:
> C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel
> HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The
> certificate is trusted.
>
> Chain verification output: Verified. The certificate is trusted.
>
> I can also verify the whole chain if I make a file containing the 3
> certs, CA, Intermediate and Server
>
> certtool -e --infile full_chain.pem --verify-hostname
> p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1 Loaded 3
> certificates, 1 CAs and 0 CRLs
>
> Subject: C=CA,ST=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer:
> C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel
> HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The
> certificate is trusted.
>
> Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
> CES,OU=Operations,CN=p01ldp5001.services.local Issuer:
> C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
> Intermediate CA 1 Checked against: C=CA,ST=Quebec,O=Promutuel
> CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Output:
> Verified. The certificate is trusted.
>
> Chain verification output: Verified. The certificate is trusted.
>
> Yet when I try to start the server I get this error
>
> main: TLS init def ctx failed: -1
>
> Can someone help me with this?
man slapd.conf(5), search for TLS Options for GnuTLS, in particular
TLSCipherSuite options.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E