I inherited an openldap installation and am trying to set up a copy of the database on a test server so I can experiment with it. I copied the slapd.conf file from the production machine and made the minimal modifications I had to to get it to work. The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really puzzles me is that the second line is supposed to be the default and even that doesn't work. If I leave them commented out, slapd starts and I can query the database via ldapsearch specifying the -ZZ option or by specifying ldaps.
$ ldapsearch -x -ZZ uid=jheim $ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim
Both of those searches work. I'm using a cert from cacert.org. But it appears to like the cert because the -ZZ works and ldaps works. I even ran ldapsearch with the -d1 option and saw nothing unusual about the certs. The only unusual line in the log is this: Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1