-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dave wrote:
> Hello,
>    I'm setting up a FreeBSD openldap server for authentication. When i
> added in tls parameters, the TLSCACertificateFile, TLSKeyFile, and
> TLSCertificateFile now i am getting the below error. I've checked
> permissions on the keys and they are globally readable. Any suggestions?
> Thanks.
> Dave.
> 
> Jan 26 21:48:38 ldap slapd[43560]: main: TLS init def ctx failed: -1

Setting up TLS with OpenLDAP is tricky.  Much trickier than it should
be IMHO.

Make sure the key file is *not* readable by other than the ldap process
and that it isn't in a world writable directory.

Use 'openssl s_client' to connect to the LDAPS port on your server and
produce better debugging hints.

Try asking on the [EMAIL PROTECTED] list for help: there are
a lot more people that understand OpenLDAP there than on this list.

        Cheers,

        Matthew

PS. If you want to use OpenLDAP as both client and server over TLS 
(eg. you're using syncrepl between a number of cloned OpenLDAP instances)
then you really do need superior skills.  OpenLDAP only understands
one key+cert, so you have to fiddle with the 'Netscape Cert Type' field
to make a cert that is usable for both client and server.  Fun!

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHnFPH8Mjk52CukIwRCMfzAJ9+R6/fmnwpc52uk5Pa56LpIYVGPgCfSHnd
Dyr6bs4kg378WoZZMA4AJU8=
=9TIg
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to