freebsd openldap server tls error
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Jan 27 01:50:06 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dave wrote:
> Hello,
> I'm setting up a FreeBSD openldap server for authentication. When i
> added in tls parameters, the TLSCACertificateFile, TLSKeyFile, and
> TLSCertificateFile now i am getting the below error. I've checked
> permissions on the keys and they are globally readable. Any suggestions?
> Thanks.
> Dave.
>
> Jan 26 21:48:38 ldap slapd[43560]: main: TLS init def ctx failed: -1
Setting up TLS with OpenLDAP is tricky. Much trickier than it should
be IMHO.
Make sure the key file is *not* readable by other than the ldap process
and that it isn't in a world writable directory.
Use 'openssl s_client' to connect to the LDAPS port on your server and
produce better debugging hints.
Try asking on the openldap-software at OpenLDAP.org list for help: there are
a lot more people that understand OpenLDAP there than on this list.
Cheers,
Matthew
PS. If you want to use OpenLDAP as both client and server over TLS
(eg. you're using syncrepl between a number of cloned OpenLDAP instances)
then you really do need superior skills. OpenLDAP only understands
one key+cert, so you have to fiddle with the 'Netscape Cert Type' field
to make a cert that is usable for both client and server. Fun!
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHnFPH8Mjk52CukIwRCMfzAJ9+R6/fmnwpc52uk5Pa56LpIYVGPgCfSHnd
Dyr6bs4kg378WoZZMA4AJU8=
=9TIg
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list