Am Fri, 2 Dec 2016 12:17:07 +0000 schrieb Patrick.Ouellet@promutuel.ca:
Hello everyone, I hope Im at the right place for these kind of question, please tell me if I’m wrong.
I just installed openldap as a proxy for AD. The proxy in itself works fine, I have made a few ldapsearch and got result I was expecting.
Now I want to add TLS to it for security reason.
I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with gnutls which I don’t know much about I would have preferred it to be built with openssl.
So Im trying to make TLS work so I added these to slapd.conf
TLSCipherSuite HIGH:!NULL TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem TLSVerifyClient never security ssf=128
I also used certtool (gnutls tool) to validate my certificate
I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in itself is okay.
certtool -e --infile certificate_chain.cer.pem.gnutls Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=PromutuelCES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
I can also verify the whole chain if I make a file containing the 3 certs, CA, Intermediate and Server
certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1 Loaded 3 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=PromutuelCES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Subject: C=CA,ST=Quebec,L=Quebec,O=PromutuelCES,OU=Operations,CN=p01ldp5001.services.local Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Checked against: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
man slapd.conf(5), search for TLS Options for GnuTLS, in particular TLSCipherSuite options.
-Dieter