On Tue, Jan 23, 2007 at 09:57:02PM +0100, Iñaki wrote:
Hi, this is my first post to the list.
I get an error when trying to run slapd with TLS options. I've looked a lot and sincerely don't know what I'm doing wrong.
I use Debian Sarge.
These are the steps I follow to create and configure the TLS certificate:
- Create a directory ssl:
#> mkdir /etc/ldap/ssl #> cd /etc/ldap/ssl
- Generate a private/public key:
#> /usr/lib/ssl/misc/CA.pl -newreq Generating a 1024 bit RSA private key .++++++ ...................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: ***** Verifying - Enter PEM pass phrase: ***** Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Vizcaya Locality Name (eg, city) []:Barakaldo Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.net Organizational Unit Name (eg, section) []:debian Common Name (eg, YOUR name) []:debian.domain.net Email Address []:ibc@domain.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
- Remove the password from the unique "newreq.pem" created:
#> openssl rsa -in newreq.pem -out key.pem Enter pass phrase for newreq.pem: ***** writing RSA key
- Edit the certificate to remove the key and rename:
#> vi newreq.pem [...] #> mv newreq.pem cert.pem
don't you need to sign it here ?
- Change permissions for the key:
#> chmod 600 key.pem
- Now I have the cetificate and the key:
#> ls -l -rw-r--r-- 1 root root 708 2007-01-23 21:35 cert.pem -rw------- 1 root root 887 2007-01-23 21:35 key.pem
- Configure slapd.conf:
TLSCipherSuite HIGH TLSCertificateFile /etc/ldap/ssl/cert.pem TLSCertificateKeyFile /etc/ldap/ssl/key.pem
- Save and restart slapd:
#> /etc/init.d/slapd restart Stopping OpenLDAP: slurpd slapd. Starting OpenLDAP: running BDB recovery, slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
- The syslog says:
Jan 23 21:38:20 debian slapd[2339]: @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $ ^I@pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd Jan 23 21:38:20 debian slapd[2339]: bdb_db_init: Initializing BDB database Jan 23 21:38:20 debian slapd[2339]: main: TLS init def ctx failed: -1 Jan 23 21:38:20 debian slapd[2339]: slapd stopped. Jan 23 21:38:20 debian slapd[2339]: connections_destroy: nothing to destroy.
can you tell me what happens when you run
openssl x509 -in /etc/ldap/ssl/cert.pem -noout -text
and if this works
openssl rsa -in /etc/ldap/ssl/key.pem -noout -text
Could you tell me why this error occurs? I've read in many sites about those exact steps to configure TLS in OpenLDAP but it doesnt' work for me.
Thanks in advance for any help. Regards.
-- Iñaki Baz Castillo