On 08/09/14 08:02 AM, Vijay Ganesan wrote:
ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received.
Unfortunately GnuTLS does not make it easy to diagnose this kind of error. There might still be a misconfiguration somewhere, or there might be a problem with the certificate itself. If you search Google for that message you will find many results with different causes.
Some thoughts:
* Check /var/log/syslog for any info printed by slapd
* Check that GnuTLS is able to understand your certificate: install gnutls-bin and try
gnutls-serv --x509certfile /path/to/server.pem --x509keyfile /path/to/server.key
which will start a basic TLS server on port 5556, then
gnutls-cli --x509cafile /path/to/ca.pem --port 5556 localhost
If GnuTLS doesn't like your certificate for some reason, one of those commands will fail and hopefully provide more information.
* Similarly, enable ldaps:/// in /etc/default/slapd and then try
gnutls-cli --x509cafile /path/to/ca.pem --port 636 localhost
to investigate the certificate actually sent by slapd.
I would really recommend upgrading to Ubuntu 14.04. It has a significantly updated version of GnuTLS that fixes a lot of bugs and limitations compared to Ubuntu 12.04. Others on this list will recommend to ditch GnuTLS altogether and build your own OpenLDAP from source using OpenSSL instead of GnuTLS.
Good luck...