Thanks Rosenberg for your suggestions.
The issue was with wrong path mentioned for certificate files.
Without commenting the TLSCipherSuite HIGH:MEDIUM:+SSLv2 line, also I could start slapd
-----Original Message-----
From: E.S. Rosenberg [mailto:esr@g.jct.ac.il]
Sent: Thursday, August 04, 2011 10:06 PM
To: Naga Chaitanya Palle
Cc: openldap-technical(a)openldap.org
Subject: Re: TLS issue
2011/8/4 Naga Chaitanya Palle <Naga.Chaitanya(a)aricent.com>:
Hi,
I am trying to configure tls for my ldap server.
After successfully creating the below files, I try to start the ldap server
and it fails.
/etc/openldap/cacerts/cacert.pem
/etc/openldap/cacerts/slapd-cert.pem
/etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1
slapd stopped.
connections_destroy: nothing to destry.
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
Try removing this line, if I'm not mistaken
it's according to openssl
syntax while openldap is (usually) compiled against gnu-tls which uses
a different syntax.
Also SSLv2 is generally not considered secure so unless you have some
apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn
SSLv2 of.
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
Are your certs
self-signed or from a CA?
Did you make sure that the private key cert (and the other certs too?)
are not stored encrypted (-nodes switch in openssl).
database bdb
suffix "dc=comverse-in,dc=com"
rootdn "cn=Manager,dc=comverse-in,dc=com"
rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
You may want to change your
password since you have posted the hash
(and also your domain) it is now possible to start brute forcing (or
use rainbow tables) the hash and since the domain where this hash was
used is known (and at least the LDAP username) that is a big security
leak.
Other than that version info and debug info (as Dan asks) is always
good to provide when you have a question.
Regards,
Eli
/etc/openldap/ldap.conf
BASE dc=comverse-in,dc=com
URI
ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
/etc/ldap.conf
base dc=comverse-in,dc=com
uri
ldaps://devonly144.comverse-in.com
ssl on
Thanks and Regards,
Naga chaitanya
===============================================================================
Please refer to
http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
===============================================================================
Please refer to
http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================