[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Error when starting Openldap
On Tue, 7 Dec 2004, David Damon wrote:
> Platform: IBM Mainframe S/390
> OpenLDAP: OpenLDAP2 2.2.6
Thats a really old version ...
> DB: BerkeleyDB 4.2.52
> Security: Heimdal 0.6.1rc3
> SASL: Cyrus-SASL 2.1.18
> SSL: OpenSSL 0.9.7d
>
> Here is the problem:
> I am trying to use TLS with OpenLDAP. I generated a key and
> certificate ( yes with an FQDN for the certificate request ) and pointed
> the slapd.conf TLS entries to the key and certificate. When I start up
> OpenLDAP it shuts down and I get this error in the logs: main: TLS init
> def ctx failed: -1. I googled for this error an only hit on main: TLS init
> def ctx failed: 0 which is not the error I'm getting. Any ideas out there?
> Thank you in advance.
That error code doesn't tell you a whole lot from my experience. Start
slapd with the '-d -1' option and look for OpenSSL errors in the log. They
can be a little cryptic but might give a hint. A common mistake is to
forget to configure the location of the certs.
I've found that OpenLDAP is a bit strict about certificates; it might not
like self-signed certs. We created a fake CA and issue all of our server
certs based off of it, and list the CA cert explicitly. You may also need
to rip the encryption off.
# TLS configuration
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/currentcert.pem
TLSCertificateKeyFile /etc/openldap/currentkey.pem
TLSCACertificateFile /etc/openldap/demoCA/cacert.pem
TLSVerifyClient never
Our basic cert creation procedure (using the OpenSSL CA tool and an
existing CA):
ksh CA.sh -newreq
opnessl rsa -in newreq.pem -out newkey.pem
ksh CA.sh -sign
copy new*pem to target system (keeping the req around can come in handy
later).
--
Doug White | FreeBSD: The Power to Serve
dwhite@gumbysoft.com | www.FreeBSD.org