[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems with openldap2.1.4 and TLS/SSL
Dear Sirs,
I've installed openldap-2.1.4, openssl-0.9.6g and db-4.0.14 on a debian
woody.
if i run following commands i got this errors
mydebian:/home/ra# /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
mydebian:/home/ra# ldapsearch -H ldap://localhost -p 389 -x -b "" -s
base -LLL -ZZ
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
mydebian:/home/ra# ldapsearch -H ldaps://localhost -p 636 -x -b "" -s
base -LLL
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
i found this in the syslog
Sep 23 21:18:40 mydebian slapd[654]: daemon: conn=3 fd=10 connection
from IP=127.0.0.1:1634 (IP=0.0.0.0:389) accepted.
Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): checking for
input on id=4
Sep 23 21:18:45 mydebian slapd[654]: connection_read(10): TLS accept
error error=-1 id=4, closing
Sep 23 21:18:45 mydebian slapd[654]: connection_closing: readying conn=4
sd=10 for close
i have read the tls/ssl section of the faq, but nothing helps. please
help me!
now i will descript you, how i installed my system.
i installed the berkeleydb with the following options
../dist/configure --enable-shared --enable-cxx
i added to /etc/ld.so.conf the line /usr/local/BerkeleyDB.4.0/lib, then
i run ldconfig
i installed openssl
./configure shared --prefix=/usr --openssldir=/usr/lib/ssl
i installed openldap
CPPFLAGS="-I/usr/local/BerkeleyDB.4.0/include"
LDFLAGS="-L/usr/local/Berkeley.4.0/lib"
./configure --with-wrappers --disable-ipv6 --enable-debug
--enable-syslog --without-cyrus-sasl
--without-kerberos --with-tls --enable-bdb --enable-ldbm
i've create the certificate with the following arguments
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:GRAZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*localhost*
Email Address []:stefan.wurzinger@greengecko.org
------------------------------- my slapd.conf
------------------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#debug modes
loglevel -1
#TLS/SSL
TLSCertificateFile /usr/local/etc/openldap/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/server.pem
TLSCACertificateFile /usr/local/etc/openldap/server.pem
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=localhost"
rootdn "cn=Admin,dc=localhost"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#####
#ACCESS CONTROLL
#####
#read access for everyone
access to * by * read
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Admin,dc=localhost" write
by * none
access to *
by self write
by dn="Admin,dc=localhost"
by * read
---------------------------------- end slapd.conf
----------------------------------
---------------------------------- my ldap.conf
------------------------------------
HOST 127.0.0.1
BASE dc=localhost
SSL yes
---------------------------------- end ldap.conf
------------------------------------
please help me.
yours faithfully
Stefan
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Stefan Ignaz Wurzinger ~ stefan.wurzinger@greengecko.org ~
~ www.greengecko.org ~ Project Groupe of Students ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~