I inherited an openldap installation and am trying to set up a copy of the database on a test server so I can experiment with it. I copied the slapd.conf file from the production machine and made the minimal modifications I had to to get it to work. The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really puzzles me is that the second line is supposed to be the default and even that doesn't work. If I leave them commented out, slapd starts and I can query the database via ldapsearch specifying the -ZZ option or by specifying ldaps.
$ ldapsearch -x -ZZ uid=jheim $ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim
Both of those searches work. I'm using a cert from cacert.org. But it appears to like the cert because the -ZZ works and ldaps works. I even ran ldapsearch with the -d1 option and saw nothing unusual about the certs. The only unusual line in the log is this: Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1
Hi John,
On Wed, Mar 11, 2009 at 03:47:19PM -0500, John G. Heim wrote:
The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really puzzles me is that the second line is supposed to be the default and even that doesn't work. If I leave them commented out, slapd starts and I can query the database via ldapsearch specifying the -ZZ option or by specifying ldaps.
One notable change between etch and lenny is that the lenny is compiled against GNUTLS by default while etch uses OpenSSL. You may have to update the TLSCipherSuite option to follow GNUTLS configuration.
John G. Heim wrote:
I inherited an openldap installation and am trying to set up a copy of the database on a test server so I can experiment with it. I copied the slapd.conf file from the production machine and made the minimal modifications I had to to get it to work. The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was
Most likely Debian lenny's slapd was built with GnuTLS, not OpenSSL. Read the slapd.conf(5) manpage that accompanies the lenny build; it will tell you how to get the set of valid cipher suites for GnuTLS. They're (obviously) not the same as for OpenSSL.
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really puzzles me is that the second line is supposed to be the default and even that doesn't work. If I leave them commented out, slapd starts and I can query the database via ldapsearch specifying the -ZZ option or by specifying ldaps.
$ ldapsearch -x -ZZ uid=jheim $ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim
Both of those searches work. I'm using a cert from cacert.org. But it appears to like the cert because the -ZZ works and ldaps works. I even ran ldapsearch with the -d1 option and saw nothing unusual about the certs. The only unusual line in the log is this: Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1
John G. Heim wrote:
I inherited an openldap installation and am trying to set up a copy of the database on a test server so I can experiment with it. I copied the slapd.conf file from the production machine and made the minimal modifications I had to to get it to work. The production server is running the debian etch version of slapd, 2.3.30 and the test server is running lenny's slapd, 2.4.11. One line that I had to comment out was
And by the way, the current version of OpenLDAP is 2.4.15. If you have trouble with a particular distro's build of OpenLDAP, talk to the distro provider. All of these distros tend to carry their own private patches that they don't share with us here on the Project, so only they can help you with their particular builds. And in general, we don't research problems in old versions - we release bug fixes and move on. If you don't already have current code, it's just a waste of time, chasing down things that were already resolved long ago.
openldap-software@openldap.org
-
Howard Chu -
John G. Heim -
Mathias Gug