[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP starts, but...





--On Wednesday, March 16, 2005 1:26 AM -0300 Pupeno <pupeno@pupeno.com> wrote:

(And, before you
add TLSCipherSuite/TLS_CIPHER_SUITE back into to your OpenLDAP
configuration, you test with -cipher first.)
I wouldn't know what set of ciphers to use, I've tried the ones defined
by  Apache (which works) and several examples from the internet. Nothing
works.

And, if that doesn't help, example other settings.  You
should be able to translate your s_client/s_server success
to ldapsearch/slapd success.  There is a direct relationship
between s_client/s_server options and ldapsearch/slapd
configuration options.
Well, in that case, I could say that the defaults work for
s_client/s_server  and not for ldapsearch/slapd.


After getting a login to pupeno's system, and doing a ton of debugging, I started looking closely at the client cert output, and compared it to my client cert output. After several comparisons, I finally noticed that Pupeno's cert was created with a key that used DSA encryption, whereas my cert was created with a key using RSA encryption. I noticed that the cacert.org CA cert was also created with a key using RSA encryption. I then had Pupeno create a new key with RSA encryption, and then order a new cert from cacert.org. The new cert/key combo worked immediately.

So, avoid DSA for your key generation is the lesson here I think.

--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin