On Tue, Jan 23, 2007 at 09:57:02PM +0100, Iñaki wrote: > Hi, this is my first post to the list. > > I get an error when trying to run slapd with TLS options. I've looked a lot > and sincerely don't know what I'm doing wrong. > > I use Debian Sarge. > > These are the steps I follow to create and configure the TLS certificate: > > > 1) Create a directory ssl: > #> mkdir /etc/ldap/ssl > #> cd /etc/ldap/ssl > > > 2) Generate a private/public key: > #> /usr/lib/ssl/misc/CA.pl -newreq > Generating a 1024 bit RSA private key > .++++++ > ...................................++++++ > writing new private key to 'newreq.pem' > Enter PEM pass phrase: ***** > Verifying - Enter PEM pass phrase: ***** > Country Name (2 letter code) [AU]:ES > State or Province Name (full name) [Some-State]:Vizcaya > Locality Name (eg, city) []:Barakaldo > Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.net > Organizational Unit Name (eg, section) []:debian > Common Name (eg, YOUR name) []:debian.domain.net > Email Address []:ibc@domain.net > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > Request (and private key) is in newreq.pem > > > 3) Remove the password from the unique "newreq.pem" created: > #> openssl rsa -in newreq.pem -out key.pem > Enter pass phrase for newreq.pem: ***** > writing RSA key > > > 4) Edit the certificate to remove the key and rename: > #> vi newreq.pem > [...] > #> mv newreq.pem cert.pem > don't you need to sign it here ? > > 5) Change permissions for the key: > #> chmod 600 key.pem > > > 6) Now I have the cetificate and the key: > #> ls -l > -rw-r--r-- 1 root root 708 2007-01-23 21:35 cert.pem > -rw------- 1 root root 887 2007-01-23 21:35 key.pem > > > 7) Configure slapd.conf: > ---------------- > TLSCipherSuite HIGH > TLSCertificateFile /etc/ldap/ssl/cert.pem > TLSCertificateKeyFile /etc/ldap/ssl/key.pem > ---------------- > > > 8) Save and restart slapd: > #> /etc/init.d/slapd restart > Stopping OpenLDAP: slurpd slapd. > Starting OpenLDAP: running BDB recovery, slapd - failed. > The operation failed but no output was produced. For hints on what went > wrong please refer to the system's logfiles (e.g. /var/log/syslog) or > try running the daemon in Debug mode like via "slapd -d 16383" (warning: > this will create copious output). > > > 9) The syslog says: > Jan 23 21:38:20 debian slapd[2339]: @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 > 08:52:42) $ > ^I@pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd > Jan 23 21:38:20 debian slapd[2339]: bdb_db_init: Initializing BDB database > Jan 23 21:38:20 debian slapd[2339]: main: TLS init def ctx failed: -1 > Jan 23 21:38:20 debian slapd[2339]: slapd stopped. > Jan 23 21:38:20 debian slapd[2339]: connections_destroy: nothing to destroy. > can you tell me what happens when you run openssl x509 -in /etc/ldap/ssl/cert.pem -noout -text and if this works openssl rsa -in /etc/ldap/ssl/key.pem -noout -text > > > Could you tell me why this error occurs? I've read in many sites about those > exact steps to configure TLS in OpenLDAP but it doesnt' work for me. > > Thanks in advance for any help. > Regards. > > > > > > > -- > Iñaki Baz Castillo > >
Attachment:
signature.asc
Description: Digital signature