Hi guys,
I'm struggling to configure my OpenLDAP with TLS (openssl) without success. I'm receiving the following error:
$ sudo slapd -d 3 ... TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1
My configuration is the following: dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /var/run/slapd/slapd.pid olcArgsFile: /var/run/slapd/slapd.args olcIdleTimeout: 7 olcLogLevel: conns filter stats none olcReferral: ldap://root.openldap.org olcTLSCACertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateKeyFile: /etc/ldap/server.key.pem olcTLSVerifyClient: demand olcTLSRandFile: /dev/urandom
Any clues on how to solve this one?
Hydro Tium wrote:
Hi guys,
I'm struggling to configure my OpenLDAP with TLS (openssl) without success. I'm receiving the following error:
$ sudo slapd -d 3 ... TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1
gcry implies that you're using gcrypt/GnuTLS, not OpenSSL.
My configuration is the following: dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /var/run/slapd/slapd.pid olcArgsFile: /var/run/slapd/slapd.args olcIdleTimeout: 7 olcLogLevel: conns filter stats none olcReferral: ldap://root.openldap.org http://root.openldap.org olcTLSCACertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateKeyFile: /etc/ldap/server.key.pem olcTLSVerifyClient: demand olcTLSRandFile: /dev/urandom
Any clues on how to solve this one?
Haven't the foggiest. gcrypt is long obsolete/deprecated.
Hi Thum,
have you removed the line as mentioned ?
On 26 Nov 2014, at 13:51, Hydro Tium <hydrotium@gmail.commailto:hydrotium@gmail.com> wrote:
Hi guys,
I'm struggling to configure my OpenLDAP with TLS (openssl) without success. I'm receiving the following error:
$ sudo slapd -d 3 ... TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1
My configuration is the following: dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /var/run/slapd/slapd.pid olcArgsFile: /var/run/slapd/slapd.args olcIdleTimeout: 7 olcLogLevel: conns filter stats none olcReferral: ldap://root.openldap.orghttp://root.openldap.org/ olcTLSCACertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateKeyFile: /etc/ldap/server.key.pem olcTLSVerifyClient: demand olcTLSRandFile: /dev/urandom
Any clues on how to solve this one?
On Wed, Nov 26, 2014 at 08:51:25AM -0400, Hydro Tium wrote:
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1
olcTLSRandFile: /dev/urandom
When libldap 2.4.39 or older are linked to libgcrypt, olcTLSRandFile should be the path to a socket of egd [1], if you set it at all.
[1] http://egd.sourceforge.net/
The gcrypt documentation says:
EGD is an alternative random gatherer, used only on systems lacking a proper random device.
In 2.4.40 and later gcrypt is no longer used. In this configuration GnuTLS uses a hard-coded list [2] of possible EGD paths, so I think olcTLSRandFile is just ignored.
[2] https://gitorious.org/gnutls/gnutls/source/ed3913fdbc8ffe3b552c0d0f593f17c4e...
In most setups, I think you probably don't need to set olcTLSRandFile at all.
Hope that helps,
Ryan
Hi Ryan,
That's very nice to know!
Many thanks!
On Wed, Nov 26, 2014 at 11:31 AM, Ryan Tandy ryan@nardis.ca wrote:
On Wed, Nov 26, 2014 at 08:51:25AM -0400, Hydro Tium wrote:
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1
olcTLSRandFile: /dev/urandom
When libldap 2.4.39 or older are linked to libgcrypt, olcTLSRandFile should be the path to a socket of egd [1], if you set it at all.
[1] http://egd.sourceforge.net/
The gcrypt documentation says:
EGD is an alternative random gatherer, used only on systems lacking a
proper random device.
In 2.4.40 and later gcrypt is no longer used. In this configuration GnuTLS uses a hard-coded list [2] of possible EGD paths, so I think olcTLSRandFile is just ignored.
[2] https://gitorious.org/gnutls/gnutls/source/ ed3913fdbc8ffe3b552c0d0f593f17c4e1a273d5:lib/nettle/egd.c#L98
In most setups, I think you probably don't need to set olcTLSRandFile at all.
Hope that helps,
Ryan
openldap-technical@openldap.org
-
Gremaud Cyrill -
Howard Chu -
Hydro Tium -
Ryan Tandy