[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/TLS main: TLS init def ctx failed: -207



Am Sonntag, 25. Januar 2009 19:05 schrieb Technical Home:
> Hello,
>
> I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 .
> So I create a CA and a signed certificate by this CA. This point
> seems to be ok :
>
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>----------- root@SERVER:~# openssl verify -CAfile
> /etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt
> /etc/ssl/certs/SERVER.crt: OK
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>-----------
>
> And i add it to my slapd configuration with following commands as
> specified in the ubuntu documentation
> (https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#open
>ldap-configuration)
>
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>----------- root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W
> Enter LDAP Password:
> dn: cn=config
> add: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
> -
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
> -
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
>
> modifying entry "cn=config"
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>-----------
>
> But when restarting slapd, I always obtain this output :
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>----------- root@SERVER:~# slapd -h 'ldap://127.0.0.1:389
> ldaps://192.168.1.200:636' -g openldap -u openldap -F
> /etc/ldap/slapd.d/ -d 16383
> @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
>    
> buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap
>d main: TLS init def ctx failed: -207
> slapd stopped.
> connections_destroy: nothing to destroy.
> ---------------------------------------------------------------------
>----------------------------------------------------------------------
>-----------
>
> I search all my sunday long what could be this "main: TLS init def
> ctx failed: -207" but I was not able to find what causes it. In
> openssl file ssl.h, 207 code refers to the macro "#define
> SSL_F_SSL_VERIFY_CERT_CHAIN                      207". It seems to
> mean that it (slapd or openssl ?) can't verify my certificate string,
> but I just verified before my certificate with the openssl command
> which told it is OK. I'm lost. Can you help me ?
May be,

try

 ldd $(which slapd)

you may see, that slapd is build with gnutls and not openssl :-)




You have two different solutions to fix this:

1. use the tool certtool from gnutls in package gnutls-bin. doc is in 
gnutls-doc or use the doc from the qemu/kvm packages and look their for 
vnc.

2. create a copy of /etc/ssl/certs/cacert.pem and reorder your 
certificates. gnutls expects just the opposite order as openssl :-(


>
> Thanks in advance,
> Regards,
> Gilles

-- 

Gruss
	Harry Jede