Just for info, my OpenLDAP server now listens on port 636 and I have ldaps:/// in my /etc/rc.conf.local, so I think SSL (not TLS) should work on it, but it doesn't. I get this error message from Apache Directory Studio when I select SSL encryption.
- ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified: Improper close state: Status = OK HandshakeStatus = NEED_WRAP org.apache.directory.studio.connection.core.io.StudioLdapException: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified: Improper close state: Status = OK HandshakeStatus = NEED_WRAP I get this error when I try to connect via TLS with Apache Directory Studio : Error while opening connection - [LDAP result code 2 - protocolError] unsupported extended operation But it works perfectly without any encryption. ________________________________ De : Stuart Henderson <s...@spacehopper.org> Envoyé : samedi 26 juin 2021 01:37 À : C. G. <idxtra...@hotmail.com> Cc : bugs@openbsd.org <bugs@openbsd.org> Objet : Re: Unable to make OpenLDAP work with TLS On 2021/06/25 21:26, C. G. wrote: > Sorry, I tried the solutions you posted, No you didn't; I said: "Try with chain.pem not fullchain.pem for TLSCACertificateFile. OpenLDAP's TLS config is a bit nonstandard compared to other software." but you show another file with fullchain.pem, and "The server will need to be set to listen to TLS connections - if the server is on OpenBSD then you probably want slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" and you show an rc.conf.local file with no backslashes. > Here is my whole slapd.conf (on which I did slaptes -f slapd.conf -F slapd.d > after having removed /etc/openldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif > and put the owner of /etc/openldap/slapd.d to openldap:openldap and > permissions to 0750 on the folder) : You are making things hard for yourself. If you want to edit config online via LDAP commands then use olc and use LDAP commands to edit it. If you want a standard text config file, then get rid of olc and use slapd.conf instead. Using both on an ongoing basis just causes confusion.
