[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: ldap and tls

Predrag Gavrilovic wrote:

Thanks for the troubleshooting hints, comments in line.

Predrag Gavrilovic wrote:

> Are you sure that problem is not related to something simple as file
> permissions on private key for server certificate? Because that is
> only an last time when I had problems with openldap and certificates.

Permissions and ownership seem fine.

> gnutls doesn't support TLS_CACERTDIR option, that is setting
> TLSCACertificatePath in slapd.conf. That means that CA certificates
> must reside in single file. update-ca-certificates can create that
> file for you. As far as I know that is main difference between using
> one or the other.

I only have one CA certificate. I tried combining with my other certificate, but this didn't help. Here is the info from my slapd.conf:

# TLS encryption parameters (when I combined the certificates, I
# commented out the TLSCertificateFile line)
TLSCACertificateFile /etc/ldap/certs/ca-certificates.crt
TLSCertificateFile /etc/ldap/certs/ldap.shadlen.crt
TLSCertificateKeyFile /etc/ldap/certs/ldap.shadlen.key
TLSCipherSuite HIGH

> Try stoping slapd, put certificate information in config file, and
> start slapd manualy with debugging "slapd -u openldap  -g openldap -h
> ldapi:/// -d255". Are there more indicative error messages?

Here is what I believe are the relevant lines

TLS: could not set cipher list HIGH.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

Just in case, I have put the full output up on the web:


Also, maybe this is helpful?

test:~# openssl s_client -connect localhost:389 -showcerts
13539:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

thanks for the help,

Reply to: