Hi all
I contact you because I don't succeed to configure my OpenLDAP with TLS.
First I create self signed certificate server.pem like I read on this page http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#5.1.1 in /usr/local/etc/openldap/tls.
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365
Then I add this line in slapd.conf :
TLSCertificateFile /usr/local/etc/openldap/tls/server.pem TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem
TLSVerifyClient never
Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.
And in my /var/log/debug.log I have
Jul 2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1 Jul 2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system resources. Jul 2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001 Jul 2 12:18:39 labobe2 slapd[97816]: slapd stopped.
I use FreeBSD 7.
If someone can help me, I appreciate, thanks in advance
Regards,
François
François Mehault wrote:
Hi all
I contact you because I don’t succeed to configure my OpenLDAP with TLS.
First I create self signed certificate server.pem like I read on this page http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#5.1.1 in /usr/local/etc/openldap/tls.
You should not have done that. The steps in section 4.1 of that document (Self Signed Certificate) violate most of the best practices for certificate management. I have asked that this section be removed from the document, it should be disappearing from the web site soon.
|*openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365*|
This is a terrible way to generate a server certificate. Instead you should generate a CA, following the steps in (the current) section 4.2.
|* *|
Then I add this line in slapd.conf :
TLSCertificateFile /usr/local/etc/openldap/tls/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.pem
TLSCACertificateFile /usr/local/etc/opendldap/tls/server.pem
TLSVerifyClient never
Then I restart slapd. /usr/local/etc/rc.d/slapd stop , start.
And in my /var/log/debug.log I have
Jul 2 12:18:39 labobe2 slapd[97816]: main: TLS init def ctx failed: -1
Jul 2 12:18:39 labobe2 slapd[97816]: slapd destroy: freeing system resources.
Jul 2 12:18:39 labobe2 slapd[97816]: syncinfo_free: rid=001
Jul 2 12:18:39 labobe2 slapd[97816]: slapd stopped.
I use FreeBSD 7.
If someone can help me, I appreciate, thanks in advance
Use "rc.d/slapd start -d -1" and see what error messages are printed on stderr. syslog is useless for diagnostics.
This is a terrible way to generate a server certificate. Instead you should generate a CA, following the steps in (the current) section 4.2.
I am going to test
Use "rc.d/slapd start -d -1" and see what error messages are printed on stderr. syslog is useless for diagnostics.
I see nothing on stderr, I forgot something ?
<14:46>[labobe2:/usr/local/etc/rc.d]# ./slapd start -d -1 Starting slapd. <14:46>[labobe2:/usr/local/etc/rc.d]# ps auwx | grep slapd <14:46>[labobe2:/usr/local/etc/rc.d]#
slapd_enable="YES" slapd_flags=' -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi"
-----Message d'origine----- De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Olivier Nicole Envoyé : jeudi 2 juillet 2009 13:02 À : François Mehault Cc : openldap-technical@openldap.org Objet : Re: TLS init def ctx failed: -1
Francois,
I contact you because I don't succeed to configure my OpenLDAP with TLS.
Just to be sure, what slapd_flags do you have in /etc/rc.conf?
Olivier
openldap-technical@openldap.org
-
François Mehault -
Howard Chu -
Olivier Nicole