On 08/09/14 08:02 AM, Vijay Ganesan wrote:
ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.
Unfortunately GnuTLS does not make it easy to diagnose this kind of
error. There might still be a misconfiguration somewhere, or there might
be a problem with the certificate itself. If you search Google for that
message you will find many results with different causes.
* Check /var/log/syslog for any info printed by slapd
* Check that GnuTLS is able to understand your certificate: install
gnutls-bin and try
gnutls-serv --x509certfile /path/to/server.pem --x509keyfile
which will start a basic TLS server on port 5556, then
gnutls-cli --x509cafile /path/to/ca.pem --port 5556 localhost
If GnuTLS doesn't like your certificate for some reason, one of those
commands will fail and hopefully provide more information.
* Similarly, enable ldaps:/// in /etc/default/slapd and then try
gnutls-cli --x509cafile /path/to/ca.pem --port 636 localhost
to investigate the certificate actually sent by slapd.
I would really recommend upgrading to Ubuntu 14.04. It has a
significantly updated version of GnuTLS that fixes a lot of bugs and
limitations compared to Ubuntu 12.04. Others on this list will recommend
to ditch GnuTLS altogether and build your own OpenLDAP from source using
OpenSSL instead of GnuTLS.