We need to either remove this document from the web site, or remove the part that tells how to create a self-signed server cert. Anyone deploying TLS with their own certs should be creating their own CA separately from their server certs. And telling folks to create cert files where the private key is included in the same file is utterly irresponsible.
-------- Original Message -------- Subject: TLS init def ctx failed: -1 Date: Thu, 2 Jul 2009 12:39:21 +0200 From: François Mehault Francois.Mehault@netplus.fr To: openldap-technical@openldap.org openldap-technical@openldap.org
Hi all
I contact you because I don’t succeed to configure my OpenLDAP with TLS.
First I create self signed certificate server.pem like I read on this page http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#5.1.1 in /usr/local/etc/openldap/tls.
|*openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365*|
|* *|
Then I add this line in slapd.conf :
TLSCertificateFile /usr/local/etc/openldap/tls/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem
TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem
TLSVerifyClient never
Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.
And in my /var/log/debug.log I have
Jul 2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1
Jul 2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system resources.
Jul 2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001
Jul 2 12:18:39 labobe2 slapd[97816]: slapd stopped.
I use FreeBSD 7.
If someone can help me, I appreciate, thanks in advance
Regards,
François