[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: trouble configure TLS in LDAP



Hi,

Thomas <mubis@gmx.de> writes:

> Hi @all,
>
> I've some trouble running TLS with LDAP:
>
> At first I created on my Linux LDAP-Server a Certificate Authority with
> CA.pl -newca
> with the certification cacert.pem
> The result of a check with 'CA.pl -verify cacert.pem' is 'OK'
>
> After that I created a server certificate for my LDAP-Server with
> CA.pl -newcert     -> newreq.pem
> and signed it with the Cerificate Authority
> CA.pl -signcert    -> newcert.pem
> The result of a check with 'CA.pl -verify newcert.pem' is 'OK'
>
> In a 3rd step I deleted the password in newreq.pem with
> openssl rsa -in newreq.pem -out ldapkey.pem
> Here is the first error when I try a check with
> 'CA.pl -verify ldapkey.pem' it says:
> 'unable to load certificate
> 18032:error:0906D06C:PEM routines:PEM_read_bio:no start 
> line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE'

You probabely got mixed up with your CA?

> I made a chmod 777 on the keys, no influence. Has anyone an idea what I'm 
> doing wrong ?
>
>
> I also changed my slapd.conf with the entries:
> TLSCertificateFile    /etc/openldap/newcert.pem
> TLSCertificateKeyFile /etc/openldap/ldapkey.pem
> TLSCACertificateFile /etc/openldap/cacert.pem
>
> After restarting slapd a 'openssl s_client -connect localhost:389 -showcerts' 
> results in:
> 'CONNECTED(00000003)
> 18034:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:226:'

Try to start ./slapd -h "ldap:/// ldaps:///" and connect s_client to
localhost:636

openssl is not aware of the ldap_start_tls function.
>
> Any help would be appreciated,
> does someone know a good Link for a 'cookbook' for TLS with LDAP ?

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

-Dieter
(mea culpa)

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de