I tried several times, but nothing seems to work. First I changed the names to be the same as in FAQ
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem All three files are rwx for everyone and all belong to openldap (the user I am using for ldap). Error log: Dec 15 14:28:21 axew0204 slapd[24383]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^ibui...@yellow :/build/buildd/openldap-2.4.11/debian/build/servers/slapd Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60 Dec 15 14:28:21 axew0204 slapd[24383]: slapd stopped. Dec 15 14:28:21 axew0204 slapd[24383]: connections_destroy: nothing to destroy. I tried running su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/' # su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/servercrt.pem' subject= /C=AU/ST=Some-State/L=Sydney/O=Internet Widgits Pty Ltd/CN=axew0204/[email protected] # su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/cacert.pem' subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=axew0204/[email protected] # su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/serverkey.pem' unable to load certificate 24190:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE I assume the last error message is fine, because it is a private key and not a certificate itself. Any ideas what to try next? 2008/12/12 Buchan Milne <[email protected]> > On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote: > > Hi, > > > > I am trying to configure openldap and tls > > I am following instructions however, I can not start slapd > > http://www.openldap.org/faq/data/cache/185.html > > > > My cn\=config.ldif > > > > olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem > > olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem > > olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem > > [...] > > > However there is nothing in log :( > > > > Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 > > 2008 00:04:08) $ ^ibui...@yellow > > > > :/build/buildd/openldap-2.4.11/debian/build/servers/slapd > > > > Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 > > Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. > > Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to > > destroy. > > > > The most common cause for this error message in my experience, is: > -Path to certificates or key is wrong > -The user slapd runs as cannot access the certificates or keys > -The certificates or keys are in the wrong format > > So, I would do this to test: > > su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in > /etc/ldap/ssl/newcert.pem' > > su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in > /etc/ldap/ssl/demoCA/newreq.pem' > > > (replace the user - 'ldap' in this case - with the username your slapd runs > as). > > However, it's probably not the best idea to configure slapd to find the > certs > or keys in the demoCA directory (if you sign another cert on that box, you > will probably overwrite those files). > > (The FAQ entry could also consider recommending to place the SSL key in a > different file than the CSR ....) > > (It may also be worthwhile adding an FAQ entry on this, with the error > message, as googling the error message doesn't turn up and good answers, > just > bad questions ...) > > Regards, > Buchan > >
