Hello
I am trying to configure openLDAP on Centos 6.8 with SSL.
LDAP version : @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $ mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
LDAP service is running with ldaps:// support :
ps -ef | grep slap ldap 22182 1 0 20:07 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -u ldap root 22193 22118 0 20:07 pts/0 00:00:00 grep slap
netstat -plane | grep 636 tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 0 45649460 22182/slapd tcp 0 0 :::636 :::* LISTEN 0 45649461 22182/slapd
When I try to do an LDAP search, it fails to connect and the log shows :
Dec 31 13:02:12 slap01 slapd[23776]: conn=1119 fd=13 ACCEPT from IP=xx.xx.xx.xx:45426 (IP=0.0.0.0:636) Dec 31 13:02:12 slap01 slapd[23776]: conn=1119 fd=13 closed (TLS negotiation failure)
My /etc/openldap/slapd.conf file has the following lines :
TLSCACertificateFile /etc/letsencrypt/live/slap01.domain.tld/fullchain.pem TLSCertificateFile /etc/letsencrypt/live/slap01.domain.tld/cert.pem TLSCertificateKeyFile /etc/letsencrypt/live/slap01.domain.tld/privkey.pem
What else do I need to make openLDAP work with my let's encrypt SSL-certificate ?
I've tried adding :
TLSCACertificatePath /usr/share/pki/ca-trust-source
But no success.
Kind regards
Jonas.
Jonas Kellens wrote:
I am trying to configure openLDAP on Centos 6.8 with SSL.
Note that OpenLDAP builds on RHEL/CentOS are linked against libnss and you likely have to deal with certutil to prepare the cert and key DB.
Unfortunately, even though the config directives use the very same names, they have different meaning when linked against libnss. Personally I consider this as a serious design flaw of the libnss support.
Example (from my memory):
# *directory* with libnss DB files TLSCACertificatePath /etc/openldap/certs # key alias used for server key TLSCertificateFile server-key-alias # pass-phrase file for using key DB file TLSCertificateKeyFile /etc/openldap/certs/password
Ciao, Michael.
openldap-technical@openldap.org