François Mehault wrote:
Hi all
I contact you because I don’t succeed to configure my OpenLDAP with TLS.
First I create self signed certificate server.pem like I read on this page http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#5.1.1 in /usr/local/etc/openldap/tls.
You should not have done that. The steps in section 4.1 of that document (Self Signed Certificate) violate most of the best practices for certificate management. I have asked that this section be removed from the document, it should be disappearing from the web site soon.
|*openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365*|
This is a terrible way to generate a server certificate. Instead you should generate a CA, following the steps in (the current) section 4.2.
|* *|
Then I add this line in slapd.conf :
TLSCertificateFile /usr/local/etc/openldap/tls/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem
TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem
TLSVerifyClient never
Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.
And in my /var/log/debug.log I have
Jul 2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1
Jul 2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system resources.
Jul 2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001
Jul 2 12:18:39 labobe2 slapd[97816]: slapd stopped.
I use FreeBSD 7.
If someone can help me, I appreciate, thanks in advance
Use "rc.d/slapd start -d -1" and see what error messages are printed on stderr. syslog is useless for diagnostics.