OpenLDAP with ldaps support on Debian Lenny

debian ldap openldap debian-lenny
5,925

Solution 1

The cipher names between Openssl and GnuTLS are not the same.

Example GnuTLS cipher:

slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA

To get a list of GnuTLS cipher names:

$ gnutls-cli -l

And make sure that the "cert" files are readable and owned by the openldap user. You could also add the openldap user to the ssl-cert group.

Solution 2

this could also be due to gnutls dropping support for md2 and md5 algorithms. see the release notes for gnutls on lenny.

Solution 3

Problem solved.

The server key could only be read by root and group 'ssl-cert'. Therefore I added the user 'openldap' to the group 'ssl-cert' but somehow slapd couldn't read the server key anyway. I now copied the key and changed its ownership to 'openldap' and now it works.

Share:
5,925

Related videos on Youtube

Haes
Author by

Haes

Updated on September 17, 2022

Comments

  • Haes
    Haes almost 2 years

    somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem.

    I've added the following options to slapd.conf:

    TLSCipherSuite TLS_RSA_AES_256_CBC_SHA
TLSCertificateFile /etc/ssl/certs/myhost.pem
TLSCACertificatePath /etc/ssl/certs/ 
TLSCertificateKeyFile /etc/ssl/private/myhost.pem
TLSVerifyClient never

    and the following to ldap.conf:

    URI         ldap:/// ldaps:///
TLS_REQCERT never

    The following error appears in the logs if I try to start slapd:

    main: TLS init def ctx failed: -64

    Could it be that the certificate, which has been generated by openssl, cannot be read by GnuTLS?

    Has anyone of you configured OpenLDAP on Debian with ldaps support? If yes, any hints on how to get it to work would be very appreciated.

    Thanks.

    EDIT: found a working TLSCipherSuite.

  • Haes
    Haes almost 15 years
    Thanks for the hint, I just found it out at the same time you wrote your answer :)
  • rkthkr
    rkthkr almost 15 years
    Updated my answer to address the cryptic error msg..
  • Morten Siebuhr
    Morten Siebuhr almost 15 years
    AFAIK, this is because slapd drops permissions before the certificate is read.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenLdap: Why slapd tell me there's no DB_CONFIG when there is one
How do I install a new schema for OpenLDAP on Debian 5 with dynamic config=cn backend?
How to correctly ldapmodify replace olcAccess lines?
How to disable anonymous access on LDAP
How to disable ldap and allow local authentication in debian server?
What are the other alternative to test a LDAP connection on linux machine
inetOrgPerson with member or memberOf?
Nested Group LDAP Search Filter
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
I need to find out disabled users from ldap