Hello everyone, I hope Im at the right place for these kind of question, please
tell me if I’m wrong.
I just installed openldap as a proxy for AD.
The proxy in itself works fine, I have made a few ldapsearch and got result I
was expecting.
Now I want to add TLS to it for security reason.
I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with
gnutls which I don’t know much about
I would have preferred it to be built with openssl.
So Im trying to make TLS work so I added these to slapd.conf
TLSCipherSuite HIGH:!NULL
TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls
TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem
TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem
TLSVerifyClient never
security ssf=128
I also used certtool (gnutls tool) to validate my certificate
I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in
itself is okay.
certtool -e --infile certificate_chain.cer.pem.gnutls
Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
I can also verify the whole chain if I make a file containing the 3 certs, CA,
Intermediate and Server
certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local
--verify-purpose 1.3.6.1.5.5.7.3.1
Loaded 3 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Root CA
Output: Verified. The certificate is trusted.
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=p01ldp5001.services.local
Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS
Intermediate CA 1
Checked against: C=CA,ST=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
Patrick Ouellet
[ligne]
Administrateur Linux
Operation
VPSI
[promutuel-assurance]
Groupe Promutuel
2000, boulevard Lebourgneuf, 4e étage, Québec (Québec) G2K 0B6
[tel] 418 840-1188, poste 2393 / 1 800 510-4630
[telec] 418 840-9900
promutuelassurance.ca<https://www.promutuelassurance.ca/>
Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas
le destinataire de ce message, veuillez le détruire après avoir informé
l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de
modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance
n'assume aucune responsabilité à l'égard du contenu des messages personnels
envoyés par ses employés.
If you need to print this document, please print it double-sided. If you are
not the intended recipient of this message, please notify the sender of the
error and destroy the message. Please further note that it is prohibited to
copy or modify any email without the author’s permission. Promutuel Insurance
accepts no liability whatsoever with regard to the content of personal messages
sent by its employees.
