i've installed openldap. starts fine without SSL/TLS.
if SSL/TLS is enabled, slapd fails to launch @ error: "main: TLS init def ctx failed: -1".
googling the issue, suggestions are cert problems. mine, i believe are OK.
any ideas as to what the problem is?
here's what i've done/checks so far:
i've installed openldap from rpm's,
rpm -qa | grep openldap openldap2-back-perl-2.4.11-5.1 openldap2-client-2.4.11-6.1 openldap2-2.4.11-5.1 openldap2-back-meta-2.4.11-5.1
without TLS/SSL, the service starts,
service ldap start Starting ldap-server done
ps ax | grep slapd 6062 ? S<sl 0:00 /usr/lib/openldap/slapd -h ldap:// -f /etc/openldap/slapd.conf -u ldap -g ldap -4 -o slp=on
if i add TLS/SSL config to /etc/openldap/slapd.conf,
... TLSCertificateFile /etc/apache2/ssl.crt/svr.crt TLSCertificateKeyFile /etc/apache2/ssl.key/svr.key TLSCACertificateFile /etc/apache2/ssl.crt/ca.crt TLSCipherSuite TLSv1+HIGH:!aNULL:@STRENGTH TLSVerifyClient never ...
service fails to start,
service ldap start Starting ldap-server failed
and log reports,
Aug 15 10:02:01 auth slapd[6139]: main: TLS init def ctx failed: -1 Aug 15 10:02:01 auth slapd[6139]: slapd destroy: freeing system resources. Aug 15 10:02:01 auth slapd[6139]: slapd stopped. Aug 15 10:02:01 auth slapd[6139]: connections_destroy: nothing to destroy. Aug 15 10:02:01 auth slapd[6139]: daemon: SLPDereg(ldap://) failed with -20, cookie = 0
the certs/keys i'm, using are used in my apache server,
SSLCertificateFile /etc/apache2/ssl.crt/svr.crt SSLCertificateKeyFile /etc/apache2/ssl.key/svr.key SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt SSLCipherSuite TLSv1+HIGH:!aNULL:@STRENGTH SSLVerifyClient none SSLVerifyDepth 1
and SSL works there without problem.
the keys & certs check out ok,
------ openssl rsa -noout -text -in "/etc/apache2/ssl.key/svr.key" Private-Key: (2048 bit) modulus: 00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35: ... 23:97 publicExponent: 65537 (0x10001) privateExponent: 00:b0:82:00:e9:69:9f:0b:07:30:93:30:eb:dd:f1: ... 48:01 prime1: 00:ea:8e:ea:13:2c:71:be:3c:68:8b:5e:7a:c8:1e: ... cf:ea:b4:92:2a:e5:14:1c:01 prime2: 00:e5:76:57:25:91:72:eb:ac:19:74:9a:2d:85:65: ... a9:81:b0:7f:b4:f3:f1:9f:97 exponent1: 06:2b:94:44:c4:da:89:22:95:ad:74:e2:cd:f8:dd: ... 62:95:35:73:23:6b:90:01 exponent2: 1a:a4:1f:c0:1b:e0:04:de:c9:61:d1:58:c1:a9:2c: ... 44:e6:72:1d:57:49:51:67 coefficient: 12:11:93:09:34:3e:ae:41:2d:dc:78:f3:11:e0:da: ... 73:80:99:ec:78:b3:4c:90
openssl x509 -noout -text -in "/etc/apache2/ssl.crt/ca.crt" Certificate: Data: Version: 3 (0x2) Serial Number: 12...21 (0x...5d) Signature Algorithm: sha512WithRSAEncryption Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA Validity Not Before: Aug 15 02:43:41 2008 GMT Not After : Aug 15 02:43:41 2009 GMT Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:f3:ee:cf:21:bc:49:59:1a:e0:62:5b:df:87:9e: ... 9b:fb:1d Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: SS ROOT CA CERT X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Netscape Cert Type: SSL CA, S/MIME CA X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 3B:...:32 X509v3 Authority Key Identifier: keyid:3B:...:32 DirName:/C=US/ST=ST/L=CITY/O=TEST/OU=TEST/CN=TEST_CA serial:48:...:5D
Signature Algorithm: sha512WithRSAEncryption da:02:bb:96:3a:72:83:73:15:8c:c9:1d:1d:41:47:2c:9e:7b: ... 70:d0:ac:96:09:7d:28:e2
openssl x509 -noout -text -in "/etc/apache2/ssl.crt/svr.crt" Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha512WithRSAEncryption Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA Validity Not Before: Aug 15 02:49:19 2008 GMT Not After : Aug 15 02:49:19 2009 GMT Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=*.testdomain.net/emailAddress=postmaster@testdomain.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35: ... 23:97 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: OpenSSL Generated Certificate X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: critical Code Signing, Time Stamping, TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Key Identifier: 00:...:1B X509v3 Authority Key Identifier: keyid:3B:...:32
Signature Algorithm: sha512WithRSAEncryption 5b:56:cb:38:40:62:ae:13:9a:e7:c3:d8:a9:2f:e6:04:fc:32: ... ff:29:74:52:73:28:fa:ca ------