Re: OpenLDAP starts, but...

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Wednesday, March 16, 2005 1:26 AM -0300 Pupeno <pupeno@pupeno.com> 
wrote:

> > (And, before you
> > add TLSCipherSuite/TLS_CIPHER_SUITE back into to your OpenLDAP
> > configuration, you test with -cipher first.)
> I wouldn't know what set of ciphers to use, I've tried the ones defined
> by  Apache (which works) and several examples from the internet. Nothing
> works.
>
> > And, if that doesn't help, example other settings.  You
> > should be able to translate your s_client/s_server success
> > to ldapsearch/slapd success.  There is a direct relationship
> > between s_client/s_server options and ldapsearch/slapd
> > configuration options.
> Well, in that case, I could say that the defaults work for
> s_client/s_server  and not for ldapsearch/slapd.


After getting a login to pupeno's system, and doing a ton of debugging, I 
started looking closely at the client cert output, and compared it to my 
client cert output.  After several comparisons, I finally noticed that 
Pupeno's cert was created with a key that used DSA encryption, whereas my 
cert was created with a key using RSA encryption.  I noticed that the 
cacert.org CA cert was also created with a key using RSA encryption.  I 
then had Pupeno create a new key with RSA encryption, and then order a new 
cert from cacert.org.  The new cert/key combo worked immediately.

So, avoid DSA for your key generation is the lesson here I think.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin