Re: Slapd, GNUTLS on Debian/Squeeze

[David Dumortier <d.dumortier@free.fr>]

Le ven. mai 20 2011 ï 01:04:52 +0200, Buchan Milne dit :
> On Friday, 20 May 2011 11:50:05 David Dumortier wrote:
> > Hi everybody,
> > 
> > I try to setup a slapd with TLS.
> 
> Do you mean START_TLS on ldap://, or ldaps:// ? I don't think you can test 
> START_TLS on ldap:// with gnutls-cli-debug.

ldaps:///
netstat -lataupe :
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN
0          264360      29866/slapd     

[...]

> With what command-line arguments/options (specifically, what values provided 
> to -h option)?

cat /etc/default/slapd :
SLAPD_SERVICES="ldapi:/// ldaps:///"

> 
> > but when I try a debug I have :
> > # gnutls-cli-debug -p 636 myip
> > Checking for TLS 1.1 support... no
> > Checking fallback from TLS 1.1 to... failed
> > Checking for TLS 1.0 support... no
> > Checking for SSL 3.0 support... no
> > 
> > Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
> 
> Before doing this, did you verify that slapd is actually listening for ldaps 
> on port 636?
> 
> I suspect you are running ldap:// on port 636.

ldapsearch -W -H ldap://myip:636/
ldap_result: Can't contact LDAP server (-1)

ldapsearch -W -H ldaps://myip/
TLS: can't connect: Error in the push function..
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldapsearch -ZZW -H ldaps://myip/
TLS: can't connect: Error in the push function..
ldap_start_tls: Can't contact LDAP server (-1)
	additional info: Error in the push function.

> 
> > Here is my slapd conf :
> > olcTLSVerifyClient: demand
> > olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr
> > olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key
> 
> 
> Regards,
> Buchan
-- 
David Dumortier