Hello,
I try to create a openLdap + TLS server for my university laboratory.
My configuration is :
Linux ***** 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
slapd 2.4.23 (This version use gnutls library)
I apply this tutorial on help.ubuntu.com (see TLS and SSL section)
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
The command i use to make the auto-signed certificate :
(with cn=localhost in my localhost.info and ca.info)
sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/cakey.pem"
certtool --generate-self-signed --load-privkey /etc/ssl/myLdapKey/cakey.pem --template /etc/ssl/myLdapKey/ca.info --outfile /etc/ssl/myLdapKey/cacert.pem
sh -c "certtool --generate-privkey > /etc/ssl/myLdapKey/localhost_slapd_key.pem"
After that :
adduser openldap ssl-cert
chgrp ssl-cert /etc/ssl/myLdapKey/localhost_slapd_key.pem
chmod g+r /etc/ssl/myLdapKey/localhost_slapd_key.pem
-I add the cert path info file into ldap with a file, tls-config.ldif which contain :
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/myLdapKey/cacert.pem
dd: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/myLdapKey/localhost_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/myLdapKey/localhost_slapd_key.pem
ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif
I uncomment this in my etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
After, i use for my client in my ldap.conf :
BASE dc=parisgeo,dc=cnrs,dc=fr
URI ldap://localhost
SSL start_tls
TLS_CACERT /etc/ssl/myLdapKey/cacert.pem
TLS_REQCERT demand
I restart server with succes, but when i try to connect, i have this error (botom off this mail),
do you have an explanation ? Thanks a lot if you can help me ...
Best regards, SR.
root@*****:/etc/ldap# ldapsearch -x -LLL -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x978b280 msgid 1
wait4msg ld 0x978b280 msgid 1 (infinite timeout)
wait4msg continue ld 0x978b280 msgid 1 all 1
** ld 0x978b280 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Dec 7 16:29:19 2011
** ld 0x978b280 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x978b280 request count 1 (abandoned 0)
** ld 0x978b280 Response Queue:
Empty
ld 0x978b280 response count 0
ldap_chkResponseList ld 0x978b280 msgid 1 all 1
ldap_chkResponseList returns ld 0x978b280 NULL
ldap_int_select
read1msg: ld 0x978b280 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x978b280 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x978b280 0 new referrals
read1msg: mark request completed, ld 0x978b280 msgid 1
request done: ld 0x978b280 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: A TLS packet with unexpected length was received.