Enabling TLS problem on openldap2-2.3.39 - openldap-software

16 Nov 2007


      I'm configuring slapd to use TLS.  First I just want to make it work,
then I'll go into requiring encryption.
The system is SLES 9.3
The openldap2 is 2.3.39
Other certifictes are in /etc/ssl/certs as specified by default in
slapd.conf for openldap2 2.3.39.
The database is currently empty, just getting started.
Generated a self-signed x509 certificate
    cd /etc/openldap
    openssl genrsa 1024 >server.key
    chmod 0440 server.key
    chown root:ldap server.key
    openssl req -new -key server.key -x509 -days 100 -out server.crt
    	Entered all the important stuff
    chmod 0444 server.crt
Checked certificate and it looked acceptable
    openssl x509 -text -in server.crt
Changed following lines in slapd.conf:
    TLSCertificateFile /etc/openldap/server.crt
    TLSCertificateKeyFile /etc/openldap/server.key
Added following line to /etc/openldap/ldap.conf
    TLS_CACERT	/etc/openldap/server.crt
A command not using encryption works fine:
    ldapsearch -x -H ldap://example.com -b "" -s base
'objectclass=*' '+' '*'
A command using encryption fails:
    ldapsearch -x -Z -H ldap://example.com -b "" -s base
'objectclass=*' '+' '*'
    ldap_start_tls: Connect error (-11)
            additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    ldap_result: Can't contact LDAP server (-1)
            additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Here are the ldap log entries when loglevel is set to -1:
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
    Nov 16 16:53:47 testsvr slapd[19533]:
    Nov 16 16:53:47 testsvr slapd[19533]: >>>
slap_listener(ldap:///)
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: listen=8, new
connection on 14
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: added 14r (active)
listener=(nil)
    Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 ACCEPT from
IP=1.1.1.1:3535 (IP=0.0.0.0:389)
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
    Nov 16 16:53:47 testsvr slapd[19533]:  14r
    Nov 16 16:53:47 testsvr slapd[19533]:
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
    Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: do_extended
    Nov 16 16:53:47 testsvr slapd[19533]: do_extended:
oid=1.3.6.1.4.1.1466.20037
    Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 STARTTLS
    Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_extended: err=0
oid= len=0
    Nov 16 16:53:47 testsvr slapd[19533]: send_ldap_response:
msgid=1 tag=120 err=0
    Nov 16 16:53:47 testsvr slapd[19533]: conn=4 op=0 RESULT oid=
err=0 text=
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
    Nov 16 16:53:47 testsvr slapd[19533]:  14r
    Nov 16 16:53:47 testsvr slapd[19533]:
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
    Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
    Nov 16 16:53:47 testsvr slapd[19533]:  14r
    Nov 16 16:53:47 testsvr slapd[19533]:
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: read active on 14
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14)
    Nov 16 16:53:47 testsvr slapd[19533]: connection_get(14): got
connid=4
    Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14):
checking for input on id=4
    Nov 16 16:53:47 testsvr slapd[19533]: connection_read(14): TLS
accept failure error=-1 id=4, closing
    Nov 16 16:53:47 testsvr slapd[19533]: connection_closing:
readying conn=4 sd=14 for close
    Nov 16 16:53:47 testsvr slapd[19533]: connection_close: conn=4
sd=-1
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: removing 14
    Nov 16 16:53:47 testsvr slapd[19533]: conn=4 fd=14 closed (TLS
negotiation failure)
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on 1
descriptor
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: activity on:
    Nov 16 16:53:47 testsvr slapd[19533]:
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=7
active_threads=0 tvp=zero
    Nov 16 16:53:47 testsvr slapd[19533]: daemon: epoll: listen=8
active_threads=0 tvp=zero
It looks like TLS started OK, then there was a negotiation failure with
slapd.
I figure I just missed something simple here, but have spent quite a bit
of time not getting it figured out.
Any insights?
Thank you.
----
Not all who wander are lost.
|     ----  ___o  |  chuck.keagle@boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434