[Date Prev][Date Next] [Chronological] [Thread] [Top]

Having issue with openldap with TLS as a AD proxy



Hello everyone, I hope Im at the right place for these kind of question, please tell me if I’m wrong.

 

I just installed openldap as a proxy for AD.

The proxy in itself works fine, I have made a few ldapsearch and got result I was expecting.

 

Now I want to add TLS to it for security reason.

 

I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with gnutls which I don’t know much about

I would have preferred it to be built with openssl.

 

So Im trying to make TLS work so I added these to slapd.conf

 

TLSCipherSuite HIGH:!NULL

TLSCACertificateFile  /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls

TLSCertificateFile    /etc/SSL/LDAP/p01ldp5001.cer.pem

TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem

TLSVerifyClient never

security ssf=128

 

I also used certtool (gnutls tool) to validate my certificate

 

I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in itself is okay.

 

certtool -e --infile certificate_chain.cer.pem.gnutls

Loaded 2 certificates, 1 CAs and 0 CRLs

 

        Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1

        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA

        Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA

        Output: Verified. The certificate is trusted.

 

Chain verification output: Verified. The certificate is trusted.

 

I can also verify the whole chain if I make a file containing the 3 certs, CA, Intermediate and Server

 

certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1

Loaded 3 certificates, 1 CAs and 0 CRLs

 

        Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1

        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA

        Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA

        Output: Verified. The certificate is trusted.

 

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local

        Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1

        Checked against: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1

        Output: Verified. The certificate is trusted.

 

Chain verification output: Verified. The certificate is trusted.

 

Yet when I try to start the server I get this error

 

main: TLS init def ctx failed: -1

 

Can someone help me with this?

 

 

Patrick Ouellet

ligne

Administrateur Linux

Operation

VPSI

promutuel-assurance

Groupe Promutuel 

2000, boulevard Lebourgneuf, 4e étage, Québec (Québec)  G2K 0B6

tel  418 840-1188, poste 2393  /  1 800 510-4630
telec  418 840-9900

promutuelassurance.ca

 

 

Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas le destinataire de ce message, veuillez le détruire après avoir informé l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance n'assume aucune responsabilité à l'égard du contenu des messages personnels envoyés par ses employés.

 

If you need to print this document, please print it double-sided. If you are not the intended recipient of this message, please notify the sender of the error and destroy the message. Please further note that it is prohibited to copy or modify any email without the author’s permission. Promutuel Insurance accepts no liability whatsoever with regard to the content of personal messages sent by its employees.