Hello,
I try to create a openLdap + TLS server for my university laboratory.
My configuration is : Linux ***** 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux slapd 2.4.23 (*This version use gnutls library)*
I apply this tutorial on help.ubuntu.com (see TLS and SSL section) https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html<%20https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html%3E * The command i use to make the auto-signed certificate *: (with cn=localhost in my localhost.info and ca.info)
sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/cakey.pem"
certtool --generate-self-signed --load-privkey /etc/ssl/myLdapKey/cakey.pem --template /etc/ssl/myLdapKey/ca.info --outfile /etc/ssl/myLdapKey/cacert.pem
sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/localhost_slapd_key.pem" * After that :*
adduser openldap ssl-cert chgrp ssl-cert /etc/ssl/myLdapKey/localhost_slapd_key.pem chmod g+r /etc/ssl/myLdapKey/localhost_slapd_key.pem * -I add the cert path info file into ldap with a file, tls-config.ldif which contain : *
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/myLdapKey/cacert.pem
dd: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/myLdapKey/localhost_slapd_cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/myLdapKey/localhost_slapd_key.pem
ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif * I uncomment this in my etc/default/slapd
*SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"*
After, i use for my client in my ldap.conf : *
BASE dc=parisgeo,dc=cnrs,dc=fr URI ldap://localhost ldaps://localhost SSL start_tls TLS_CACERT /etc/ssl/myLdapKey/cacert.pem TLS_REQCERT demand
I restart server with succes, but when i try to connect, i have this error (botom off this mail),
do you have an explanation ? Thanks a lot if you can help me ...
*Best regards, SR.*
root@*****:/etc/ldap# ldapsearch -x -LLL -ZZ -d 1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x978b280 msgid 1 wait4msg ld 0x978b280 msgid 1 (infinite timeout) wait4msg continue ld 0x978b280 msgid 1 all 1 ** ld 0x978b280 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Wed Dec 7 16:29:19 2011
** ld 0x978b280 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x978b280 request count 1 (abandoned 0) ** ld 0x978b280 Response Queue: Empty ld 0x978b280 response count 0 ldap_chkResponseList ld 0x978b280 msgid 1 all 1 ldap_chkResponseList returns ld 0x978b280 NULL ldap_int_select read1msg: ld 0x978b280 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x978b280 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x978b280 0 new referrals read1msg: mark request completed, ld 0x978b280 msgid 1 request done: ld 0x978b280 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string* ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received. * * *