[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Dying LDAP process and TLS
- To: openldap-technical@openldap.org
- Subject: Dying LDAP process and TLS
- From: Florian Götz <f.goetz@hs-mannheim.de>
- Date: Fri, 24 Jul 2009 15:26:21 +0200
- Content-disposition: inline
- Organization: Hochschule Mannheim
- User-agent: KMail/1.11.2 (Linux/2.6.28-13-generic; KDE/4.2.2; i686; ; )
Hello everybody,
I got some two serious problems with my LDAP, maybe you got a hint for it.
Problem 1 might have a connection to nr 2, but I´m not sure.
I use OpenLDAP 2.4.12 on a SLES11 system. The initscript to start/stop the
service called "rcldap" know 3 states: unused, running and dead.
When I startup the LDAP it´s in state running. It takes about 10-15min, the
LDAP doesn´t respond anymore and a "rcldap status" tells me that the service
is dead. I have no clue why it behaves this way. The logs tell me, that the
Backup-System fetches some data and then the log ends without any further
notice. The pid file still exists, but the process is gone.
Problem 2 has to do with TLS.
I got the CA of our (sub)company, a certificate for the ldap-machine and the
associated private key file.
The certificate chain is:
Deutsche Telekom Root CA -> Company CA -> Subcompany CA -> Certificate of LDAP
machine. The certificate for the ldap machine seems to be generated with/by the
Company CA.
If I put these files into the slapd config with:
TLSCACertificateFile /etc/openldap/certs/SubcompanyCA.pem
TLSCertificateFile /etc/openldap/certs/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/certs/ldapprivkey.pem
TLSVerifyClient demand
and the following lines in the /etc/ldap.conf:
TLS_CACERT /etc/openldap/certs/SubcompanyCA.pem
TLS_REQCERT demand
it crashes at the TLS certificate verification, because he can´t get the local
issuer certificate.
If I use the Company CAs in both places instead of the Subcompany CA it´s
failing too.
If I mix it up with the SubcompanyCA in the slapd.conf and the CompanyCA in
the ldap.conf, the certificate verification succeeds, but I get a
TLS trace: SSL3 alert read:fatal:handshake failure
I don´t know how to handle that problem.
--
Best regards,
Florian Götz
-----