-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I follow the instructions in http://www.openldap.org/faq/data/cache/185.html and in other tutorials from the Web for activate TLS and use a CA and I can't get it works right. The error I obtained is a "Handshake failure". Somebody can help me?
I paste you my slapd.conf and my ldap.conf:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
database bdb suffix "dc=abc,dc=es" checkpoint 32 30 # <kbyte> <min> rootdn "cn=Manager,dc=abc,dc=es" rootpw asdhjka # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/openldap-data # Indices to maintain index objectClass eq
TLSCACertificateFile /etc/openldap/ssl/cacert.pem TLSCertificateFile /etc/openldap/ssl/certs/servidorcert.pem TLSCertificateKeyFile /etc/openldap/ssl/private/servidorkey.pem TLSVerifyClient demand
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=abc,dc=es URI ldap://localhost ldaps://localhost PORT 636
TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_CERT /etc/openldap/ssl/clientecert.pem TLS_KEY /etc/openldap/ssl/clientekey.pem TLS_REQCERT demand - -- AVISO: Las opiniones expresadas en este mensaje son estrictamente personales y no es una posición oficial de la Universidade da Coruña.
AVISO LEGAL: Este mensaje y sus ficheros adjuntos tienen carácter privado y confidencial y van dirigidos exclusivamente a sus destinatarios. Si ha recibido este mensaje por error, no debe revelarlo, copiarlo o distribuirlo en ningún sentido sin previo consentimiento por escrito del destinatario. Rogamos lo comunique al remitente y elimine dicho mensaje y cualquier documento adjunto que pudiera contener. De no hacerlo así puede vulnerar la legislación vigente.
Esther Puente wrote:
I follow the instructions in http://www.openldap.org/faq/data/cache/185.html and in other tutorials from the Web for activate TLS and use a CA and I can't get it works right. The error I obtained is a "Handshake failure".
There should be an additional message displayed there detailing the cause of the failure. Most likely something's wrong with path names in cert configuration.
Ciao, Michael.
Michael Ströder wrote:
Esther Puente wrote:
I follow the instructions in http://www.openldap.org/faq/data/cache/185.html and in other tutorials from the Web for activate TLS and use a CA and I can't get it works right. The error I obtained is a "Handshake failure".
There should be an additional message displayed there detailing the cause of the failure. Most likely something's wrong with path names in cert configuration.
As the ldap.conf(5) manpage states, TLS_CERT/TLS_KEY are not valid in ldap.conf, only in ldaprc.
openldap-software@openldap.org
-
Esther Puente -
Howard Chu -
Michael Ströder