Hello,

I try to create a openLdap + TLS server for my university laboratory.

My configuration is :
Linux ***** 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
slapd 2.4.23  (This version use gnutls library)

I apply this tutorial on help.ubuntu.com (see TLS and SSL section)
 https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

The command i use to make the auto-signed certificate
:
(with cn=localhost in my localhost.info and ca.info)

sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/cakey.pem"

certtool --generate-self-signed --load-privkey /etc/ssl/myLdapKey/cakey.pem --template /etc/ssl/myLdapKey/ca.info --outfile /etc/ssl/myLdapKey/cacert.pem

sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/localhost_slapd_key.pem"

After that :


adduser openldap ssl-cert
chgrp ssl-cert /etc/ssl/myLdapKey/localhost_slapd_key.pem
chmod g+r /etc/ssl/myLdapKey/localhost_slapd_key.pem

-I add the cert path info file into ldap with a file, tls-config.ldif which contain :


dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/myLdapKey/cacert.pem

dd: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/myLdapKey/localhost_slapd_cert.pem

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/myLdapKey/localhost_slapd_key.pem

ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif

I uncomment this in my etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

After, i use for my client  in my ldap.conf :

BASE dc=parisgeo,dc=cnrs,dc=fr
URI ldap://localhost
SSL start_tls
TLS_CACERT /etc/ssl/myLdapKey/cacert.pem
TLS_REQCERT demand

I restart server with succes, but when i try to connect, i have this error (botom off this mail),

do you have an explanation ? Thanks a lot if you can help me ...

Best regards, SR.

root@*****:/etc/ldap# ldapsearch -x -LLL -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x978b280 msgid 1
wait4msg ld 0x978b280 msgid 1 (infinite timeout)
wait4msg continue ld 0x978b280 msgid 1 all 1
** ld 0x978b280 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Dec  7 16:29:19 2011


** ld 0x978b280 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x978b280 request count 1 (abandoned 0)
** ld 0x978b280 Response Queue:
   Empty
  ld 0x978b280 response count 0
ldap_chkResponseList ld 0x978b280 msgid 1 all 1
ldap_chkResponseList returns ld 0x978b280 NULL
ldap_int_select
read1msg: ld 0x978b280 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x978b280 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x978b280 0 new referrals
read1msg:  mark request completed, ld 0x978b280 msgid 1
request done: ld 0x978b280 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: A TLS packet with unexpected length was received.


--
SR.