--On Monday, February 26, 2007 3:59 PM +0200 Antonis Christofides
A tls connection between a client and a 2.3.30 slapd hangs while the
server is giving the certificate; but this does not happen if the
server is run with -d 2 or higher, or if the client is the server
(A seemingly similar issue has been reported before, without
satisfactory reply, 4 years ago:
My slapd is the Debian-etch-packaged 2.3.30.
Problems with SSL on Debian are well known, and it is due to the fact that
they long ago patched OpenLDAP 2.1 to compile against GnuTLS (note, I don't
say *work*, just compile).
When you use their 2.2 and 2.3 packages, and their libraries get loaded
into the same user space as the 2.1 libraries (which are always installed),
then SSL/TLS stop working. There is *nothing* the OpenLDAP folks can do
My only advice to you is to not use the Debian packages. Build OpenLDAP
yourself, or get a prebuilt distribution like Symas' CDS that installs into
a completely separate location so that it is not polluted by the Debian
In the meantime, Stanford U. & The Written Word have hired Symas
corporation to create true integration between GnuTLS and OpenLDAP. It is
anticipated that will be part of the OpenLDAP 2.4 release. Too late for
Debian's etch release, but I assume this problem will finally go away for
Debian in the release after that.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html