--On Wednesday, July 25, 2007 2:33 PM -0700 Jay Chandler chandler.lists@chapman.edu wrote:

Probably worth mentioning the lines from slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

All files exist, and appear to be correct.

And are they readable by the slapd user?

--Quanah

-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

Jay Chandler wrote:

TLSCipherSuite HIGH:MEDIUM:+SSLv2

You SHOULD NOT allow SSLv2. This SSL version has serious security flaws. I'm also not sure about the strength of the ciphers defined by MEDIUM.

Ciao, Michael.

"Maria McKinley" parody@u.washington.edu writes:

On 7/25/07, Jay Chandler chandler.lists@chapman.edu wrote:

...

Followed this to the letter, yet when I attempt to restart slapd, I get:

...

slapd[34145]: main: TLS init def ctx failed: -1 slapd[34145]: slapd stopped.

in my logs. Googling sheds no light. Thoughts? OS is FreeBSD, for reference, so a lot of Solaris advice is probably applicable.

I'm afraid I am no help, but did want to mention, I am having the same problem with a Debian machine. I have also made many attempts, following several instruction sets on how to create the certificates, to no avail, and the same error message...

You pretty much have to run slapd with -d in order to get any useful error messages. Try starting with slapd -d 1 and increase to 3, 7, 15, 31, 63, and so forth (2^n - 1) to add more bits to the debug bitmask until you get some useful error message.