[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem starting SSL/TLS





--On Friday, March 10, 2006 8:10 AM -0500 Karen R McArthur <kmcarthu@bates.edu> wrote:

I have openldap-2.2.13-4 running on redhat ES4.  I am able to start and
use my ldap server with no problems until I try to start SSL/TLS.  I
uncomment the lines in slapd.conf for TLS:


The first thing to do, is dump RedHat's OpenLDAP.
The second thing to do is either get OpenLDAP 2.2.30 and build it yourself (and understand that OpenLDAP 2.2 is a historic release), or go and get OpenLDAP 2.3.20, which is the current stable release.


RedHat is notorious for doing a very poor job of packaging OpenLDAP, and keeping releases around that are extremely old. 2.2.13 is quite old at this point, and had numerous bugs that were fixed in the next 17 releases.

There is also at least 2 DOS vulnerabilities in that release of OpenLDAP.

# Certificate entries:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/server_cert.pem
TLSCertificateKeyFile /etc/openldap/server_cert.pem
TLSVerifyClient never

Then, my ldap server does not start.  I receive the following errors in
/var/log/messages:

Mar 10 07:51:07 a7470 slapd[32557]: sql_select option missing
Mar 10 07:51:07 a7470 slapd[32557]: auxpropfunc error no mechanism
available


If you make yourself be the user "ldap" can you verify that you can read the pem files?


I note that you are using Kerberos. Will you be doing this for all your authorized connections? Note that SASL/GSSAPI already includes doing encryption on the wire, which you can enforce in your ACLs. If that is the case, then there's generally little purpose in also using TLS to encrypt the connection.


This is a really large idletimeout setting... I set mine to 30 seconds.


# Certificate entries:
# TLSCipherSuite HIGH:MEDIUM:+SSLv3
# TLSCACertificateFile /etc/openldap/cacert.pem
# TLSCertificateFile /etc/openldap/server_cert.pem
# TLSCertificateKeyFile /etc/openldap/server_cert.pem
# TLSVerifyClient never


Does it work without the TLSCipherSuite command?

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html