Dying LDAP process and TLS

[Florian Götz <f.goetz@hs-mannheim.de>]

Hello everybody,

I got some two serious problems with my LDAP, maybe you got a hint for it.

Problem 1 might have a connection to nr 2, but I´m not sure.
I use OpenLDAP 2.4.12 on a SLES11 system. The initscript to start/stop the 
service called "rcldap" know 3 states: unused, running and dead.

When I startup the LDAP it´s in state running. It takes about 10-15min, the 
LDAP doesn´t respond anymore and a "rcldap status" tells me that the service 
is dead. I have no clue why it behaves this way. The logs tell me, that the 
Backup-System fetches some data and then the log ends without any further 
notice. The pid file still exists, but the process is gone.


Problem 2 has to do with TLS.
I got the CA of our (sub)company, a certificate for the ldap-machine and the 
associated private key file.
The certificate chain is:
Deutsche Telekom Root CA -> Company CA -> Subcompany CA -> Certificate of LDAP 
machine. The certificate for the ldap machine seems to be generated with/by the 
Company CA.

If I put these files into the slapd config with:

TLSCACertificateFile    /etc/openldap/certs/SubcompanyCA.pem
TLSCertificateFile        /etc/openldap/certs/ldapcert.pem
TLSCertificateKeyFile   /etc/openldap/certs/ldapprivkey.pem
TLSVerifyClient         demand

and the following lines in the /etc/ldap.conf:

TLS_CACERT /etc/openldap/certs/SubcompanyCA.pem
TLS_REQCERT demand

it crashes at the TLS certificate verification, because he can´t get the local 
issuer certificate.

If I use the Company CAs in both places instead of the Subcompany CA it´s 
failing too.
If I mix it up with the SubcompanyCA in the slapd.conf and the CompanyCA in 
the ldap.conf, the certificate verification succeeds, but I get a
TLS trace: SSL3 alert read:fatal:handshake failure


I don´t know how to handle that problem.


-- 
Best regards,
Florian Götz




-----