Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 .
So I create a CA and a signed certificate by this CA. This point
seems to be ok :
---------------------------------------------------------------------
----------------------------------------------------------------------
----------- root@SERVER:~# openssl verify -CAfile
/etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt
/etc/ssl/certs/SERVER.crt: OK
---------------------------------------------------------------------
----------------------------------------------------------------------
-----------
And i add it to my slapd configuration with following commands as
specified in the ubuntu documentation
(https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#open
ldap-configuration)
---------------------------------------------------------------------
----------------------------------------------------------------------
----------- root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config"
---------------------------------------------------------------------
----------------------------------------------------------------------
-----------
But when restarting slapd, I always obtain this output :
---------------------------------------------------------------------
----------------------------------------------------------------------
----------- root@SERVER:~# slapd -h 'ldap://127.0.0.1:389
ldaps://192.168.1.200:636' -g openldap -u openldap -F
/etc/ldap/slapd.d/ -d 16383
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slap
d main: TLS init def ctx failed: -207
slapd stopped.
connections_destroy: nothing to destroy.
---------------------------------------------------------------------
----------------------------------------------------------------------
-----------
I search all my sunday long what could be this "main: TLS init def
ctx failed: -207" but I was not able to find what causes it. In
openssl file ssl.h, 207 code refers to the macro "#define
SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to
mean that it (slapd or openssl ?) can't verify my certificate string,
but I just verified before my certificate with the openssl command
which told it is OK. I'm lost. Can you help me ?