Re: Re: ldap and tls
Predrag Gavrilovic wrote:
Thanks for the troubleshooting hints, comments in line.
Predrag Gavrilovic wrote:
> Are you sure that problem is not related to something simple as file
> permissions on private key for server certificate? Because that is
> only an last time when I had problems with openldap and certificates.
Permissions and ownership seem fine.
> gnutls doesn't support TLS_CACERTDIR option, that is setting
> TLSCACertificatePath in slapd.conf. That means that CA certificates
> must reside in single file. update-ca-certificates can create that
> file for you. As far as I know that is main difference between using
> one or the other.
I only have one CA certificate. I tried combining with my other
certificate, but this didn't help. Here is the info from my slapd.conf:
# TLS encryption parameters (when I combined the certificates, I
# commented out the TLSCertificateFile line)
TLSCACertificateFile /etc/ldap/certs/ca-certificates.crt
TLSCertificateFile /etc/ldap/certs/ldap.shadlen.crt
TLSCertificateKeyFile /etc/ldap/certs/ldap.shadlen.key
TLSCipherSuite HIGH
> Try stoping slapd, put certificate information in config file, and
> start slapd manualy with debugging "slapd -u openldap -g openldap -h
> ldapi:/// -d255". Are there more indicative error messages?
Here is what I believe are the relevant lines
TLS: could not set cipher list HIGH.
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Just in case, I have put the full output up on the web:
http://www.shadlen.org/~maria/pmwiki/Work/Error-log
Also, maybe this is helpful?
test:~# openssl s_client -connect localhost:389 -showcerts
CONNECTED(00000003)
13539:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
thanks for the help,
maria
Reply to: