[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with openldap2.1.4 and TLS/SSL



Dear Sirs,

I've installed openldap-2.1.4, openssl-0.9.6g and db-4.0.14 on a debian woody.

if i run following commands i got this errors

mydebian:/home/ra# /usr/local/libexec/slapd -h "ldap:/// ldaps:///"

mydebian:/home/ra# ldapsearch -H ldap://localhost -p 389 -x -b "" -s base -LLL -ZZ
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


mydebian:/home/ra# ldapsearch -H ldaps://localhost -p 636 -x -b "" -s base -LLL
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


i found this in the syslog
Sep 23 21:18:40 mydebian slapd[654]: daemon: conn=3 fd=10 connection from IP=127.0.0.1:1634 (IP=0.0.0.0:389) accepted.
Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): checking for input on id=4
Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): TLS accept error error=-1 id=4, closing
Sep 23 21:18:45 mydebian slapd[654]: connection_closing: readying conn=4 sd=10 for close


i have read the tls/ssl section of the faq, but nothing helps. please help me!

now i will descript you, how i installed my system.

i installed the berkeleydb with the following options
../dist/configure --enable-shared --enable-cxx

i added to /etc/ld.so.conf the line /usr/local/BerkeleyDB.4.0/lib, then i run ldconfig

i installed openssl
./configure shared --prefix=/usr --openssldir=/usr/lib/ssl

i installed openldap
CPPFLAGS="-I/usr/local/BerkeleyDB.4.0/include" LDFLAGS="-L/usr/local/Berkeley.4.0/lib"
./configure --with-wrappers --disable-ipv6 --enable-debug --enable-syslog --without-cyrus-sasl
--without-kerberos --with-tls --enable-bdb --enable-ldbm



i've create the certificate with the following arguments openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365

Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:GRAZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*localhost*
Email Address []:stefan.wurzinger@greengecko.org


------------------------------- my slapd.conf ------------------------------------------------------
include /usr/local/etc/openldap/schema/core.schema


pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#debug modes
loglevel -1

#TLS/SSL
TLSCertificateFile      /usr/local/etc/openldap/server.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/server.pem
TLSCACertificateFile    /usr/local/etc/openldap/server.pem

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "dc=localhost"
rootdn          "cn=Admin,dc=localhost"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

#####
#ACCESS CONTROLL
#####
#read access for everyone
access to * by * read

access to attr=userPassword
         by self write
         by anonymous auth
         by dn="cn=Admin,dc=localhost" write
         by * none

access to *
by self write
by dn="Admin,dc=localhost"
by * read
---------------------------------- end slapd.conf ----------------------------------


---------------------------------- my ldap.conf ------------------------------------
HOST 127.0.0.1
BASE dc=localhost
SSL yes
---------------------------------- end ldap.conf ------------------------------------


please help me.

yours faithfully

Stefan

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Stefan Ignaz Wurzinger ~ stefan.wurzinger@greengecko.org ~
~ www.greengecko.org     ~ Project Groupe of Students      ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~