OpenLDAP not working wit TLS

E

erikf154

I'm trying to get OpenLDAP to work with TLS. I've tested my certificates running openssl s_server on port 4433 and then connecting with openssl s_client to view the certificates and it works fine.

However, when I start the slapd daemon and then try:
Code: 
openssl s_client -connect kitauth001.mid.no:389 -showcerts
CONNECTED(00000003)
15292:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:188:

The debug.log reveals the following:
Code: 
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: slap_listener_activate(7):
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 busy
May 18 13:20:21 kitauth001 slapd[15289]: >>> slap_listener(ldap://0.0.0.0/)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: listen=7, new connection on 11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: added 11r (active) listener=0x0
May 18 13:20:21 kitauth001 slapd[15289]: conn=1 fd=11 ACCEPT from IP=10.11.2.10:57973 (IP=0.0.0.0:389)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: waked
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on:
May 18 13:20:21 kitauth001 slapd[15289]:  11r
May 18 13:20:21 kitauth001 slapd[15289]:
May 18 13:20:21 kitauth001 slapd[15289]: daemon: read activity on 11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: connection_get(11)
May 18 13:20:21 kitauth001 slapd[15289]: connection_get(11): got connid=1
May 18 13:20:21 kitauth001 slapd[15289]: connection_read(11): checking for input on id=1
May 18 13:20:21 kitauth001 slapd[15289]: ber_get_next on fd 11 failed errno=34 (Result too large)
May 18 13:20:21 kitauth001 slapd[15289]: connection_read(11): input error=-2 id=1, closing.
May 18 13:20:21 kitauth001 slapd[15289]: connection_closing: readying conn=1 sd=11 for close
May 18 13:20:21 kitauth001 slapd[15289]: connection_close: conn=1 sd=11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: removing 11
May 18 13:20:21 kitauth001 slapd[15289]: conn=1 fd=11 closed (connection lost)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: waked
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
Got this in the slapd.conf
Code: 
security ssf=128
TLSCertificateFile /usr/local/etc/openldap/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cert.key
TLSCACertificateFile /usr/local/etc/openldap/cert.crt

Any idea why it's not working?
 
Please choose an appropriate forum next time; the General forum is a last resort (see sticky there).
 
erikf154 said:
Code: 
security ssf=128
TLSCertificateFile /usr/local/etc/openldap/[B]cert.crt[/B]
TLSCertificateKeyFile /usr/local/etc/openldap/cert.key
TLSCACertificateFile /usr/local/etc/openldap/[B]cert.crt[/B]
Click to expand...

TLS and TLSCA have the same cert file? I'd expect to see a cacert.crt or something similar (using neither ldap or tls myself)
 
It's a self signed certificate. I tried using the CA.pl to create a demo CA certificate, but I still got the same error.
 
You must log in or register to reply here.
Back
Top