Hi,
I am trying to configure tls for my ldap server. After successfully creating the below files, I try to start the ldap server and it fails.
/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/slapd-cert.pem /etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destry.
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
/etc/openldap/ldap.conf BASE dc=comverse-in,dc=com URI ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
/etc/ldap.conf base dc=comverse-in,dc=com uri ldaps://devonly144.comverse-in.com ssl on
Thanks and Regards, Naga chaitanya
=============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
On 04/08/11 19:53 +0530, Naga Chaitanya Palle wrote:
I am trying to configure tls for my ldap server. After successfully creating the below files, I try to start the ldap server and it fails.
/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/slapd-cert.pem /etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destry.
What command line options are you passing to slapd? What version? What ssl library is your slapd linked against?
Do you get any helping information while starting slapd in debug mode '-d -1'?
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
Does your openldap user/group have read access to all three files? Does commenting out your 'TLSCipherSuite' option make any difference?
database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
/etc/openldap/ldap.conf BASE dc=comverse-in,dc=com URI ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
/etc/ldap.conf base dc=comverse-in,dc=com uri ldaps://devonly144.comverse-in.com ssl on
2011/8/4 Dan White dwhite@olp.net:
On 04/08/11 19:53 +0530, Naga Chaitanya Palle wrote:
I am trying to configure tls for my ldap server. After successfully creating the below files, I try to start the ldap server and it fails.
/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/slapd-cert.pem /etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destry.
What command line options are you passing to slapd? What version? What ssl library is your slapd linked against?
Do you get any helping information while starting slapd in debug mode '-d -1'?
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
Try removing this line, if I'm not mistaken it's according to openssl syntax while openldap is (usually) compiled against gnu-tls which uses a different syntax. Also SSLv2 is generally not considered secure so unless you have some apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn SSLv2 of.
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
Does your openldap user/group have read access to all three files? Does commenting out your 'TLSCipherSuite' option make any difference?
Are your certs self-signed or from a CA? Did you make sure that the private key cert (and the other certs too?) are not stored encrypted (-nodes switch in openssl).
database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
You may want to change your password since you have posted the hash (and also your domain) it is now possible to start brute forcing (or use rainbow tables) the hash and since the domain where this hash was used is known (and at least the LDAP username) that is a big security leak.
Other than that version info and debug info (as Dan asks) is always good to provide when you have a question. Regards, Eli
/etc/openldap/ldap.conf BASE dc=comverse-in,dc=com URI ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
/etc/ldap.conf base dc=comverse-in,dc=com uri ldaps://devonly144.comverse-in.com ssl on
-- Dan White
--On Thursday, August 04, 2011 7:46 PM +0300 "E.S. Rosenberg" esr+openldap@g.jct.ac.il wrote:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
Try removing this line, if I'm not mistaken it's according to openssl syntax while openldap is (usually) compiled against gnu-tls which uses a different syntax.
Only Debian/Ubuntu link against GnuTLS AFAIK. Most distributions link against OpenSSL. RH is starting to link against MozNSS.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
The command line options for slapd are /usr/sbin/slapd2.4 -u ldap -g ldap -l LOCAL4 -s 0 -h "ldap:/// ldaps:///"
I tried with -d -1 and I could get the reason for failure. The location of the certificates was wrong. It should have been /etc/openldap2.4 instead of /etc/openldap
Thanks, Naga Chaitanya
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Thursday, August 04, 2011 9:04 PM To: Naga Chaitanya Palle Cc: openldap-technical@openldap.org Subject: Re: TLS issue
On 04/08/11 19:53 +0530, Naga Chaitanya Palle wrote:
I am trying to configure tls for my ldap server. After successfully creating the below files, I try to start the ldap server and it fails.
/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/slapd-cert.pem /etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destry.
What command line options are you passing to slapd? What version? What ssl library is your slapd linked against?
Do you get any helping information while starting slapd in debug mode '-d -1'?
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
Does your openldap user/group have read access to all three files? Does commenting out your 'TLSCipherSuite' option make any difference?
database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
/etc/openldap/ldap.conf BASE dc=comverse-in,dc=com URI ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
/etc/ldap.conf base dc=comverse-in,dc=com uri ldaps://devonly144.comverse-in.com ssl on
-- Dan White
=============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
openldap-technical@openldap.org
-
Dan White -
E.S. Rosenberg -
Naga Chaitanya Palle -
Quanah Gibson-Mount