Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
root@axew0204:/home/alfas# /etc/init.d/slapd start Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -g openldap -u openldap -F /etc/ldap/slapd.d/ root@axew0204:/home/alfas#
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow :/build/buildd/openldap-2.4.11/debian/build/servers/slapd Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
Any ideas???
Thanks.
Alfas
Alfonsas Stonis wrote:
Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
root@axew0204:/home/alfas# /etc/init.d/slapd start Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -g openldap -u openldap -F /etc/ldap/slapd.d/ root@axew0204:/home/alfas#
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.11/debian/build/servers/slapd Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
Any ideas???
Thanks.
Alfas
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
That would appear to be something in your log.
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
That would appear to be something in your log.
Hi,
Can you tell me where to look for this log? I understand that this can be clear for you. However the mystic line Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 tells me nothing. The explanation in documentation of error 34 (if it is correct error message) tells nothing too :( H.25. *invalidDNSyntax (34)*
Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search base, target entry, ModifyDN newrdn, etc.) of a request does not conform to the required syntax or contains attribute values that do not conform to the syntax of the attribute's type.
Any ideas how I can find out what is wrong?
Alfas
On Fri, 12 Dec 2008, Alfonsas Stonis wrote:
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
That would appear to be something in your log.
Can you tell me where to look for this log?
He was responding to your comment that "there is nothing in log", as that message was something in your log, however opaque it be.
I understand that this can be clear for you. However the mystic line Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 tells me nothing. The explanation in documentation of error 34 (if it is correct error message) tells nothing too :( H.25. *invalidDNSyntax (34)*
That error number, -34, is actually being passed through from the GNUtls library. You'll need to consult the documentation for that library to see what that error means when returned from one of the functions: gnutls_certificate_set_x509_trust_file gnutls_certificate_set_x509_key_file gnutls_certificate_set_x509_crl_file
Good luck!
Philip Guenther
Hi
You have either - set permissions on the certificates/keys that do not allow slapd to read them (check also directory permissions). or - /etc/ldap/ssl/demoCA/newreq.pem is not a RSA private key. This depends on how you created your certificate. If you followed the instructions in http://www.openldap.org/faq/data/cache/185.html, you should have your certificates and keys in a separate folder. The demoCA component in your path names shows that you seem to have created the CA under /etc/ldap/ssl/demoCA, which was probably not what you wanted (hint: don't run CA.sh from /etc/ldap/ssl).
Please follow the instructions more closely and locate the following three files and verify that slapd has read access to them:
1) CA certificate 2) slapd's private key 3) slapd's certificate
kind regards /markus
Alfonsas Stonis wrote:
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
[...]
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow
:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
The most common cause for this error message in my experience, is: -Path to certificates or key is wrong -The user slapd runs as cannot access the certificates or keys -The certificates or keys are in the wrong format
So, I would do this to test:
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/newcert.pem'
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/demoCA/newreq.pem'
(replace the user - 'ldap' in this case - with the username your slapd runs as).
However, it's probably not the best idea to configure slapd to find the certs or keys in the demoCA directory (if you sign another cert on that box, you will probably overwrite those files).
(The FAQ entry could also consider recommending to place the SSL key in a different file than the CSR ....)
(It may also be worthwhile adding an FAQ entry on this, with the error message, as googling the error message doesn't turn up and good answers, just bad questions ...)
Regards, Buchan
I tried several times, but nothing seems to work. First I changed the names to be the same as in FAQ
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem
All three files are rwx for everyone and all belong to openldap (the user I am using for ldap).
Error log:
Dec 15 14:28:21 axew0204 slapd[24383]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow :/build/buildd/openldap-2.4.11/debian/build/servers/slapd Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60 Dec 15 14:28:21 axew0204 slapd[24383]: slapd stopped. Dec 15 14:28:21 axew0204 slapd[24383]: connections_destroy: nothing to destroy.
I tried running su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/'
# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/servercrt.pem' subject= /C=AU/ST=Some-State/L=Sydney/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au # su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/cacert.pem' subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au
# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/serverkey.pem' unable to load certificate 24190:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
I assume the last error message is fine, because it is a private key and not a certificate itself.
Any ideas what to try next?
2008/12/12 Buchan Milne bgmilne@staff.telkomsa.net
On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
[...]
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow
:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
The most common cause for this error message in my experience, is: -Path to certificates or key is wrong -The user slapd runs as cannot access the certificates or keys -The certificates or keys are in the wrong format
So, I would do this to test:
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/newcert.pem'
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/demoCA/newreq.pem'
(replace the user - 'ldap' in this case - with the username your slapd runs as).
However, it's probably not the best idea to configure slapd to find the certs or keys in the demoCA directory (if you sign another cert on that box, you will probably overwrite those files).
(The FAQ entry could also consider recommending to place the SSL key in a different file than the CSR ....)
(It may also be worthwhile adding an FAQ entry on this, with the error message, as googling the error message doesn't turn up and good answers, just bad questions ...)
Regards, Buchan
On Mon, 15 Dec 2008, Alfonsas Stonis wrote: ...
Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60
Why haven't you looked up those error numbers in the GNUtls docs?
#define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60
(If I was in your position, I would would remove OpenLDAP from the picture and work out a valid cert, key, and CAcert combo using just the tools provided by GNUtls. I would hope the GNUtls documentation has the necessary examples and information to do that; lacking that, I would consult the help-gnutls@gnu.org mailing list. Once that's worked out, you can address the OpenLDAP bits with some confidence that you're not giving it bad data.)
Philip Guenther
Thanks. There actually maybe was a problem with certificate. I simply took other certificate from apache, so I now for sure that it is correct. Now slapd started without any problems. However, I can not connect to ldap server using ssl. I am using JXplorer. I select ssl+user+password for authentication but it does not work. I am using the same client key copy as for apache. I imported it to JXplorer and added to ldap.conf (just in case). No luck :(. I assume that there is something missing in slapd configuraiton. Any ideas what to do next?
2008/12/15 Philip Guenther <guenther+ldapsoft@sendmail.comguenther%2Bldapsoft@sendmail.com
On Mon, 15 Dec 2008, Alfonsas Stonis wrote: ...
Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60
Why haven't you looked up those error numbers in the GNUtls docs?
#define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60
(If I was in your position, I would would remove OpenLDAP from the picture and work out a valid cert, key, and CAcert combo using just the tools provided by GNUtls. I would hope the GNUtls documentation has the necessary examples and information to do that; lacking that, I would consult the help-gnutls@gnu.org mailing list. Once that's worked out, you can address the OpenLDAP bits with some confidence that you're not giving it bad data.)
Philip Guenther
openldap-software@openldap.org