Alright, it's clear.
The section in Debian's ldap.conf has the following content,
Specifies the file that contains the slapd server private key that
matches the certificate stored in the TLSCertificateFile file. Currently, the private key
must not be
protected with a password, so it is of critical importance that it is
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of a file
that contains the password for the key for the certificate specified with
The modutil command can be used to turn off password protection for
the cert/key database. For example, if TLSCACertificatePath specifes /etc/openldap/certdb
location of the cert/key database, use modutil to change the password to the
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate
You must have the old password, if any. Ignore the WARNING about the
running browser. Press 'Enter' for the new password.
Reading this info i would not expect it is not valid in ldap.conf since it is not pointed
Nevertheless i could have read further.
If you allow me to ask you something about gnutls directly, do you still stand behind the
statement you made here,
i know it's out of date but you said 'the code is fundamentally broken'.
I'm not knowledged about the internals of gnutls but i am very cusious if you changed
your mind since then.
On Mon, Apr 20, 2015 at 02:46:28PM -0500, Dan White wrote:
On 04/20/15 20:07 +0200, E.therepa wrote:
>Dear Tech list,
>I'd like to use CRL's to regulate client connections to my slapd server.
>So i've build working certs and keys with gnutls. The whole keysetup is tested
and working properly,
>by invoking gnu-serv and gnu-cli i could succesfully create connections and drop
clients in my revocation list.
>In order to use this in slapd/ldap utils i use this settings,
># TLS certificates (needed for GnuTLS)
This is a user only option. See ldap.conf(5).
>55353d59 slapd starting
>55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
>TLS: can't accept: No certificate was found..
>55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
>ldap_start_tls: Can't contact LDAP server (-1)
>ldap_free_connection 1 1
>ber_flush2: 7 bytes to sd 4
> 0000: 30 05 02 01 02 42 00 0....B.
>ldap_write: want=7 error=Broken pipe
>ldap_free_connection: actually freed
>As far as i can see and found info my client and servers TLS settings are configured
>What i really don't get is that the client doesnt send his certs to the server.