[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap tls with a ca

To: <openldap-technical@openldap.org>
Subject: openldap tls with a ca
From: "Dave" <dmehler26@woh.rr.com>
Date: Sun, 27 Jan 2008 15:24:45 -0500

Hello, I'm trying to set up openldap for network authentication of both FreeBSD and Linux machines as well as integrating a samba pdc. I've created a ca with instructions found at:

http://sial.org/howto/openssl/ca/

I've added the appropriate options to slapd.conf, for TLS as i don't want passwords going around in the clear. Slapd starts fine with tls options added, but if i do an ldapsearch -Z i get a can not contact ldap server.

ldapsearch:
# extended LDIF
#
# LDAPv3
# base <dc=davemehler,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required

# numResponses: 1

I assume this is normal, but the below is what i'm getting with ldapsearch -Z

ldapsearch -Z:
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)

Here are the tls options i'm using:

slapd.conf:
security ssf=128
TLSCipherSuite HIGH
TLSCertificateFile /usr/local/etc/openldap/tls/ldap.davemehler.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/tls/ldap.davemehler.com.key
TLSCACertificateFile /usr/local/etc/openldap/tls/ca-cert.pem
#TLSDHParamFile

I'm not sure what that last file is or how to make it, is it critical?

/usr/local/etc/ldap.conf:
ssl start_tls
tls_cacert /usr/local/etc/openldap/tls/ca-cert.pem

Checking /var/log/debug.log i'm seeing an error confidentiality required, as if ldap can't read the key, but as i said it's mode 644. Here's the complete transaction:

Jan 27 15:20:04 ldap slapd[73647]: conn=6 fd=10 ACCEPT from IP=192.168.0.203:51704 (IP=0.0.0.0:389) Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=0 BIND dn="" method=128 Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=0 RESULT tag=97 err=0 text= Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SRCH base="dc=davemehler,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup))" Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=confidentiality required Jan 27 15:20:04 ldap slapd[73647]: conn=6 fd=10 closed (connection lost)

Any help appreciated.
Thanks.
Dave.

Follow-Ups:
- Re: openldap tls with a ca
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: OpenLDAP and Solaris 10 - group problem
Next by Date: Re: openldap tls with a ca
Index(es):
- Chronological
- Thread