-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dave wrote: > Hello, > I'm setting up a FreeBSD openldap server for authentication. When i > added in tls parameters, the TLSCACertificateFile, TLSKeyFile, and > TLSCertificateFile now i am getting the below error. I've checked > permissions on the keys and they are globally readable. Any suggestions? > Thanks. > Dave. > > Jan 26 21:48:38 ldap slapd: main: TLS init def ctx failed: -1
Setting up TLS with OpenLDAP is tricky. Much trickier than it should be IMHO. Make sure the key file is *not* readable by other than the ldap process and that it isn't in a world writable directory. Use 'openssl s_client' to connect to the LDAPS port on your server and produce better debugging hints. Try asking on the [EMAIL PROTECTED] list for help: there are a lot more people that understand OpenLDAP there than on this list. Cheers, Matthew PS. If you want to use OpenLDAP as both client and server over TLS (eg. you're using syncrepl between a number of cloned OpenLDAP instances) then you really do need superior skills. OpenLDAP only understands one key+cert, so you have to fiddle with the 'Netscape Cert Type' field to make a cert that is usable for both client and server. Fun! - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHnFPH8Mjk52CukIwRCMfzAJ9+R6/fmnwpc52uk5Pa56LpIYVGPgCfSHnd Dyr6bs4kg378WoZZMA4AJU8= =9TIg -----END PGP SIGNATURE----- _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"