Hi There,

Need help with resolving an configuration issue I am having with openldap server (OpenLDAP: slapd 2.4.23 (Jun 22 2012 14:02:53) ) running a CentOS-6.3

1. Have a openldap server setup with TLS running on CentOS-6.3

rpm -qa | grep ldap
openldap-devel-2.4.23-26.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
openldap-servers-2.4.23-26.el6.x86_64
openldap-2.4.23-26.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
pam_ldap-185-11.el6.x86_64
ldapjdk-4.18-6.el6.x86_64

3. Have generated self signed server certificates using openssl command.

openssl req -x509 -nodes -days 3650 -newkey rsa:1048 -keyout /etc/openldap/certs/server-key.pem -out /etc/openldap/certs/server-cert.pem

3. Have a CentOS-6.3 setup a openldap client and enable TLS. 

rpm -qa | grep ldap
openldap-2.4.23-26.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
openldap-clients-2.4.23-26.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pam_ldap-185-11.el6.x86_64


4. When I try to login on a LDAP client, I am seeing following debugging messages in LDAP server side,


>>> slap_listener(ldaps://:389/)
daemon: listen=7, new connection on 14
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
daemon: added 14r (active) listener=(nil)
conn=1000 fd=14 ACCEPT from IP=xxx.xxx.xxx.xxxx:55585 (IP=0.0.0.0:389)
daemon: activity on 2 descriptors
daemon: activity on: 14r
daemon: read active on 14
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
connection_get(14)
connection_get(14): got connid=1000
connection_read(14): checking for input on id=1000
TLS: file server-cert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file server-key.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: error: no server certificate: must specify a certificate for the server to use
TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory
TLS: can't create ssl handle.
connection_read(14): TLS accept failure error=-1 id=1000, closing
connection_closing: readying conn=1000 sd=14 for close
connection_close: conn=1000 sd=14

5. I generate the hash in the directory were the certs are and then try connecting again, see different slapd debugging messages

conn=1001 fd=14 ACCEPT from IP=10.90.180.220:55586 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read active on 14
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
connection_get(14)
connection_get(14): got connid=1001
connection_read(14): checking for input on id=1001
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error code is no longer available
TLS: can't create ssl handle.
connection_read(14): TLS accept failure error=-1 id=1001, closing
connection_closing: readying conn=1001 sd=14 for close
connection_close: conn=1001 sd=14
daemon: removing 14
daemon: activity on 1 descriptor
daemon: activity on:
conn=1001 fd=14 closed (TLS negotiation failure)


Is there any bug with the version of openldap I am using? Appreciate any and every help from any of the group member to resolve the issue.

Thank you,
anlinux.