OpenLDAP with ldaps support on Debian Lenny
Solution 1
The cipher names between Openssl and GnuTLS are not the same.
Example GnuTLS cipher:
slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA
To get a list of GnuTLS cipher names:
$ gnutls-cli -l
And make sure that the "cert" files are readable and owned by the openldap user. You could also add the openldap user to the ssl-cert group.
Solution 2
this could also be due to gnutls dropping support for md2 and md5 algorithms. see the release notes for gnutls on lenny.
Solution 3
Problem solved.
The server key could only be read by root and group 'ssl-cert'. Therefore I added the user 'openldap' to the group 'ssl-cert' but somehow slapd couldn't read the server key anyway. I now copied the key and changed its ownership to 'openldap' and now it works.
Related videos on Youtube
Haes
Updated on September 17, 2022Comments
-
Haes almost 2 years
somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem.
I've added the following options to slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA TLSCertificateFile /etc/ssl/certs/myhost.pem TLSCACertificatePath /etc/ssl/certs/ TLSCertificateKeyFile /etc/ssl/private/myhost.pem TLSVerifyClient never
and the following to ldap.conf:
URI ldap:/// ldaps:/// TLS_REQCERT never
The following error appears in the logs if I try to start slapd:
main: TLS init def ctx failed: -64
Could it be that the certificate, which has been generated by openssl, cannot be read by GnuTLS?
Has anyone of you configured OpenLDAP on Debian with ldaps support? If yes, any hints on how to get it to work would be very appreciated.
Thanks.
EDIT: found a working TLSCipherSuite.
-
Haes almost 15 yearsThanks for the hint, I just found it out at the same time you wrote your answer :)
-
rkthkr almost 15 yearsUpdated my answer to address the cryptic error msg..
-
Morten Siebuhr almost 15 yearsAFAIK, this is because slapd drops permissions before the certificate is read.