Hi, this is my first post to the list.
I get an error when trying to run slapd with TLS options. I've looked a lot and sincerely don't know what I'm doing wrong.
I use Debian Sarge.
These are the steps I follow to create and configure the TLS certificate:
1) Create a directory ssl: #> mkdir /etc/ldap/ssl #> cd /etc/ldap/ssl
2) Generate a private/public key: #> /usr/lib/ssl/misc/CA.pl -newreq Generating a 1024 bit RSA private key .++++++ ...................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: ***** Verifying - Enter PEM pass phrase: ***** Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Vizcaya Locality Name (eg, city) []:Barakaldo Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.net Organizational Unit Name (eg, section) []:debian Common Name (eg, YOUR name) []:debian.domain.net Email Address []:ibc@domain.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
3) Remove the password from the unique "newreq.pem" created: #> openssl rsa -in newreq.pem -out key.pem Enter pass phrase for newreq.pem: ***** writing RSA key
4) Edit the certificate to remove the key and rename: #> vi newreq.pem [...] #> mv newreq.pem cert.pem
5) Change permissions for the key: #> chmod 600 key.pem
6) Now I have the cetificate and the key: #> ls -l -rw-r--r-- 1 root root 708 2007-01-23 21:35 cert.pem -rw------- 1 root root 887 2007-01-23 21:35 key.pem
7) Configure slapd.conf: ---------------- TLSCipherSuite HIGH TLSCertificateFile /etc/ldap/ssl/cert.pem TLSCertificateKeyFile /etc/ldap/ssl/key.pem ----------------
8) Save and restart slapd: #> /etc/init.d/slapd restart Stopping OpenLDAP: slurpd slapd. Starting OpenLDAP: running BDB recovery, slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
9) The syslog says: Jan 23 21:38:20 debian slapd[2339]: @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $ ^I@pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd Jan 23 21:38:20 debian slapd[2339]: bdb_db_init: Initializing BDB database Jan 23 21:38:20 debian slapd[2339]: main: TLS init def ctx failed: -1 Jan 23 21:38:20 debian slapd[2339]: slapd stopped. Jan 23 21:38:20 debian slapd[2339]: connections_destroy: nothing to destroy.
Could you tell me why this error occurs? I've read in many sites about those exact steps to configure TLS in OpenLDAP but it doesnt' work for me.
Thanks in advance for any help. Regards.
El Martes, 23 de Enero de 2007 21:57, Iñaki escribió:
- Generate a private/public key:
#> /usr/lib/ssl/misc/CA.pl -newreq
Sorry, I've found the error, I must use: #> /usr/lib/ssl/misc/CA.pl -newcert that creates an autosigned certificate/key.
Regards.
On Tue, Jan 23, 2007 at 09:57:02PM +0100, Iñaki wrote:
Hi, this is my first post to the list.
I get an error when trying to run slapd with TLS options. I've looked a lot and sincerely don't know what I'm doing wrong.
I use Debian Sarge.
These are the steps I follow to create and configure the TLS certificate:
- Create a directory ssl:
#> mkdir /etc/ldap/ssl #> cd /etc/ldap/ssl
- Generate a private/public key:
#> /usr/lib/ssl/misc/CA.pl -newreq Generating a 1024 bit RSA private key .++++++ ...................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: ***** Verifying - Enter PEM pass phrase: ***** Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Vizcaya Locality Name (eg, city) []:Barakaldo Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.net Organizational Unit Name (eg, section) []:debian Common Name (eg, YOUR name) []:debian.domain.net Email Address []:ibc@domain.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
- Remove the password from the unique "newreq.pem" created:
#> openssl rsa -in newreq.pem -out key.pem Enter pass phrase for newreq.pem: ***** writing RSA key
- Edit the certificate to remove the key and rename:
#> vi newreq.pem [...] #> mv newreq.pem cert.pem
don't you need to sign it here ?
- Change permissions for the key:
#> chmod 600 key.pem
- Now I have the cetificate and the key:
#> ls -l -rw-r--r-- 1 root root 708 2007-01-23 21:35 cert.pem -rw------- 1 root root 887 2007-01-23 21:35 key.pem
- Configure slapd.conf:
TLSCipherSuite HIGH TLSCertificateFile /etc/ldap/ssl/cert.pem TLSCertificateKeyFile /etc/ldap/ssl/key.pem
- Save and restart slapd:
#> /etc/init.d/slapd restart Stopping OpenLDAP: slurpd slapd. Starting OpenLDAP: running BDB recovery, slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
- The syslog says:
Jan 23 21:38:20 debian slapd[2339]: @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 08:52:42) $ ^I@pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd Jan 23 21:38:20 debian slapd[2339]: bdb_db_init: Initializing BDB database Jan 23 21:38:20 debian slapd[2339]: main: TLS init def ctx failed: -1 Jan 23 21:38:20 debian slapd[2339]: slapd stopped. Jan 23 21:38:20 debian slapd[2339]: connections_destroy: nothing to destroy.
can you tell me what happens when you run
openssl x509 -in /etc/ldap/ssl/cert.pem -noout -text
and if this works
openssl rsa -in /etc/ldap/ssl/key.pem -noout -text
Could you tell me why this error occurs? I've read in many sites about those exact steps to configure TLS in OpenLDAP but it doesnt' work for me.
Thanks in advance for any help. Regards.
-- Iñaki Baz Castillo
El Martes, 23 de Enero de 2007 22:50, Alex Samad escribió:
- Edit the certificate to remove the key and rename:
#> vi newreq.pem [...] #> mv newreq.pem cert.pem
don't you need to sign it here ?
Yes, as I say in my other mail, the problem it that I use "CA.pl -req" instead of "CA.pl -cert" (that geenrates an autosigned cert).
can you tell me what happens when you run
openssl x509 -in /etc/ldap/ssl/cert.pem -noout -text
and if this works
openssl rsa -in /etc/ldap/ssl/key.pem -noout -text
Now I've generated the autosigned certificate and slapd runs. My actual problem is that a few clients that I've probed (as Kaddressbook using an LDAP addressbook) refuese these certificate with the warning "Error in the certificate".
And if I do:
# ldapsearch -ZZ -h debian.domian.net -x * -LL -d 65535 I get: [...] TLS certificate verification: Error, self signed certificate [...]
So I asume that most ldap clients don't allow an autosigned certificate.
Anyway, I'm learning now about certificates, so I have to investigate first ;)
Thanks for all.
Iñaki wrote:
So I asume that most ldap clients don't allow an autosigned certificate.
Anyway, I'm learning now about certificates, so I have to investigate first ;)
http://www.openldap.org/doc/admin23/tls.html
El Miércoles, 24 de Enero de 2007 00:35, Howard Chu escribió:
Iñaki wrote:
So I asume that most ldap clients don't allow an autosigned certificate.
Anyway, I'm learning now about certificates, so I have to investigate first ;)
Thanks, I'll read it.
openldap-software@openldap.org
-
Alex Samad -
Howard Chu -
Iñaki