[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS issue

To: Dan White <dwhite@olp.net>
Subject: RE: TLS issue
From: Naga Chaitanya Palle <Naga.Chaitanya@aricent.com>
Date: Fri, 5 Aug 2011 13:06:50 +0530
Accept-language: en-US
Acceptlanguage: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <20110804153333.GA4642@dan.olp.net>
References: <4A4577058A416A4B979BCD934AD213D018033A@GUREXMB02.ASIAN.AD.ARICENT.COM> <20110804153333.GA4642@dan.olp.net>
Thread-index: AcxSu+I0165LLsOrSFO4mRE3IODEgQAhZt6w
Thread-topic: TLS issue

Hi,

The command line options for slapd are
/usr/sbin/slapd2.4 -u ldap -g ldap -l LOCAL4 -s 0 -h "ldap:/// ldaps:///"

I tried with -d -1 and I could get the reason for failure.
The location of the certificates was wrong.
It should have been /etc/openldap2.4 instead of /etc/openldap

Thanks,
Naga Chaitanya

-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Thursday, August 04, 2011 9:04 PM
To: Naga Chaitanya Palle
Cc: openldap-technical@openldap.org
Subject: Re: TLS issue

On 04/08/11 19:53 +0530, Naga Chaitanya Palle wrote:
>I am trying to configure tls for my ldap server.
>After successfully creating the below files, I try to start the ldap server and it fails.
>
>/etc/openldap/cacerts/cacert.pem
>/etc/openldap/cacerts/slapd-cert.pem
>/etc/openldap/cacerts/slapd-key.pem
>
>The log shows the below messages
>
>main: TLS init def ctx failed: -1
>slapd stopped.
>connections_destroy: nothing to destry.

What command line options are you passing to slapd? What version? What ssl
library is your slapd linked against?

Do you get any helping information while starting slapd in debug mode '-d
-1'?

>Slapd.conf
>
>TLSCipherSuite HIGH:MEDIUM:+SSLv2
>TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
>TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
>TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem

Does your openldap user/group have read access to all three files?
Does commenting out your 'TLSCipherSuite' option make any difference?

>database         bdb
>suffix   "dc=comverse-in,dc=com"
>rootdn   "cn=Manager,dc=comverse-in,dc=com"
>rootpw   {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
>
>/etc/openldap/ldap.conf
>BASE     dc=comverse-in,dc=com
>URI ldaps://devonly144.comverse-in.com
>
>TLS_CACERT    /etc/openldap/cacerts/cacert.pem
>TLS_CACERTDIR /etc/openldap/cacerts
>TLS_REQCERT     allow
>
>/etc/ldap.conf
>base     dc=comverse-in,dc=com
>uri ldaps://devonly144.comverse-in.com
>ssl on

--
Dan White

===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================

References:
- TLS issue
  - From: Naga Chaitanya Palle <Naga.Chaitanya@aricent.com>
- Re: TLS issue
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: TLS issue
Next by Date: RE: TLS issue
Index(es):
- Chronological
- Thread