I ran the following command on my setup and found some error.

openssl s_client -connect ldap-company.com:636 -showcerts -CAfile /etc/ssl/certs/ca-cert.pem

Some of the errors that I saw were :

verify error:num=20:unable to get local issuer certificate
verify return:1

verify error:num=27:certificate not trusted
verify return:1

verify error:num=21:unable to verify the first certificate
verify return:1

But eventually, I got connected with the last few lines as :

    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 52B3C73421E31E563441A84F8149AB5EB7A92D62FB28F3E01CE73707164265A0
    Master-Key: B56391251B286C25A411BDD77DA61299BBC6E9F8899972EB02CB2E82FAE7F3708473B832CECD16D64A64EC1BEAB6DF6D
    Key-Arg   : None
    Start Time: 1248069588
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Is it normal?

If it is normal, then Can I consider that my certificates are Ok and the problem lies somewhere else?

Please suggest.


On Wed, Jul 15, 2009 at 11:06 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
Hi Matt,

Thank you very much for your kind support so as to resolve the issue that I was facing for so long.

Here is what I did as per Matt's suggestion and it worked.

1. I used certtools to generate the key and certificate files.
2. I used them instead of the old ones that were supposed to be generated by gnutls.
3. Change the ownership and permission of private dire to root:ssl-cert and 755
4. Restart slapd

and slapd restarted without any issues.

I am able to search ldap using ldaps now instead of ldaps.

But I have one issue remaining :

I have the following entry in ldap.conf


The moment I change it to


the search starts throwing error :

# ldapsearch -d5 -x -H ldaps://ldap-comany.com -b dc=ldap-comany,dc=com
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP ldap-comany.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The port 636 is listening :

tcp        0      0   *               LISTEN
tcp6       0      0 :::10636                :::*                    LISTEN
tcp6       0      0 :::636                  :::*                    LISTEN

Is there anything else that I need to do further?

Thanks again.


On Tue, Jul 14, 2009 at 10:52 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
Hi Matt,

openldap user is already a part of ssl-cert group.

Regarding apparmor, I am very much new to this. But I did some research on this and did some changes like :

1. moving the /usr/sbin/slapd profile to complain mode and
2. changing the following lines in /etc/apparmor.d/usr.sbin.slapd from :

/etc/ssl/private/ r,
/etc/ssl/private/* r,


/etc/ssl/private/ mixr,
/etc/ssl/private/* mixr,

After the changes, I did the following :

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove

/etc/init.d/apparmor start
update-rc.d apparmor defaults

But it yields no positive result.

Is there anything else that I need to do?

Please let me know.

Thank you very much for the reply.


On Mon, Jul 13, 2009 at 8:29 PM, Matt Kassawara <battery@writeme.com> wrote:
Make sure slapd can read the certs and private key.  In addition to typical ownership and permissions, the openldap user should belong to the ssl-cert group and the slapd AppArmor profile must allow access to the directories containing your certs.

On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

I ran the command "slapd -d 16383" and attached is the output of the same in case it may prove to be useful.

In this output, ldap-company.com.crt is server.crt as defined in in my earlier mails. I have changed it to try some luck, but it was fruitless.


On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
Hi Matt,

I created the certificates following the procedure defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.


On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara <battery@writeme.com> wrote:
How did you create the certificates?  Can slapd read them?

On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:
Hi All,

I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.

Here is what I have done till now.

I followed the steps defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and installation was successful. I installed PhpLdapAdmin also.

After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content :

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server.key

Then I executed the command :

ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif

and it was a success.

But after this, when I tried to restart slapd, I got errors like the following :

main: TLS init def ctx failed: -1

I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following,  slapd started successfully.

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
#olcTLSCertificateFile: /etc/ssl/certs/server.crt
#olcTLSCertificateKeyFile: /etc/ssl/private/server.key

This looks quite strange.

Please help me resolving the same.