Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 . So I create a CA and a signed certificate by this CA. This point seems to be ok :
------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt /etc/ssl/certs/SERVER.crt: OK ------------------------------------------------------------------------------------------------------------------------------------------------------
And i add it to my slapd configuration with following commands as specified in the ubuntu documentation (https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-con...)
------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config" ------------------------------------------------------------------------------------------------------------------------------------------------------
But when restarting slapd, I always obtain this output : ------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy. ------------------------------------------------------------------------------------------------------------------------------------------------------
I search all my sunday long what could be this "main: TLS init def ctx failed: -207" but I was not able to find what causes it. In openssl file ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean that it (slapd or openssl ?) can't verify my certificate string, but I just verified before my certificate with the openssl command which told it is OK. I'm lost. Can you help me ?
Thanks in advance, Regards, Gilles
On Sun, 25 Jan 2009, Technical Home wrote: [given]
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
[we get]
root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.
[which is]
ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN
Are you sure that all of these files are readable as group/user "openldap"?
Make sure that those options really are present/being parsed properly, perhaps by setting debug level "config" and/or looking for open() with strace or similar. Actually, a strace on open() would be the appropriate test for my EPERM theory, too. If they're not....upgrade to the latest available version. There were some back-config fixes in 2.4.13, for example.
Am Sonntag, 25. Januar 2009 19:05 schrieb Technical Home:
Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 . So I create a CA and a signed certificate by this CA. This point seems to be ok :
----------- root@SERVER:~# openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt /etc/ssl/certs/SERVER.crt: OK
And i add it to my slapd configuration with following commands as specified in the ubuntu documentation (https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#open ldap-configuration)
----------- root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config"
But when restarting slapd, I always obtain this output :
----------- root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap d main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.
I search all my sunday long what could be this "main: TLS init def ctx failed: -207" but I was not able to find what causes it. In openssl file ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean that it (slapd or openssl ?) can't verify my certificate string, but I just verified before my certificate with the openssl command which told it is OK. I'm lost. Can you help me ?
May be,
try
ldd $(which slapd)
you may see, that slapd is build with gnutls and not openssl :-)
You have two different solutions to fix this:
1. use the tool certtool from gnutls in package gnutls-bin. doc is in gnutls-doc or use the doc from the qemu/kvm packages and look their for vnc.
2. create a copy of /etc/ssl/certs/cacert.pem and reorder your certificates. gnutls expects just the opposite order as openssl :-(
Thanks in advance, Regards, Gilles
Harry Jede a écrit :
Am Sonntag, 25. Januar 2009 19:05 schrieb Technical Home:
Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 . So I create a CA and a signed certificate by this CA. This point seems to be ok :
----------- root@SERVER:~# openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt /etc/ssl/certs/SERVER.crt: OK
And i add it to my slapd configuration with following commands as specified in the ubuntu documentation (https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#open ldap-configuration)
----------- root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config"
But when restarting slapd, I always obtain this output :
----------- root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap d main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.
I search all my sunday long what could be this "main: TLS init def ctx failed: -207" but I was not able to find what causes it. In openssl file ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean that it (slapd or openssl ?) can't verify my certificate string, but I just verified before my certificate with the openssl command which told it is OK. I'm lost. Can you help me ?
May be,
try
ldd $(which slapd)
you may see, that slapd is build with gnutls and not openssl :-)
You have two different solutions to fix this:
- use the tool certtool from gnutls in package gnutls-bin. doc is in
gnutls-doc or use the doc from the qemu/kvm packages and look their for vnc.
- create a copy of /etc/ssl/certs/cacert.pem and reorder your
certificates. gnutls expects just the opposite order as openssl :-(
Thanks in advance, Regards, Gilles
Thanks again Harry ! You are right, I followed gnutls.pdf documentation and this link : http://www.linuxsecurityforum.org/f5/how-to-create-a-certificate-authority-a...
And here we go ^^ :
---------------------------------------------------------------------------------------------------------------- root@SERVER:~# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd. root@SERVER:~# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-28 00:05 CET Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.205 seconds root@SERVER:~# nmap 192.168.1.200
Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-28 00:05 CET Interesting ports on 192.168.1.200: Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 0.203 seconds ----------------------------------------------------------------------------------------------------------------
But is gnutls using new in OpenLDAP ? Hard to find this by Google. Ubuntu documentation refers to openssl despite the documentation update for ubuntu 8.10 intrepid version : https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-con...
But thanks again Harry, now I will sleep better I think. U won a virtual french beer ! ^^
Bye Gilles
--On Wednesday, January 28, 2009 12:26 AM +0100 Technical Home technicalhome@aliceadsl.fr wrote:
But is gnutls using new in OpenLDAP ? Hard to find this by Google. Ubuntu documentation refers to openssl despite the documentation update for ubuntu 8.10 intrepid version : https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap- configuration
gnutls support was introduced with OpenLDAP 2.4. Ubuntu & Debian are currently the only two major releases that use it.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Technical Home wrote:
But is gnutls using new in OpenLDAP ? Hard to find this by Google.
Sounds like you haven't read the Admin Guide...
http://www.openldap.org/doc/admin24/appendix-changes.html#New%20build%20opti...
openldap-software@openldap.org
-
Aaron Richton -
Harry Jede -
Howard Chu -
Quanah Gibson-Mount -
Technical Home