Am Fri, 2 Dec 2016 12:17:07 +0000 schrieb <[email protected]>:
> Hello everyone, I hope Im at the right place for these kind of > question, please tell me if I’m wrong. > > I just installed openldap as a proxy for AD. > The proxy in itself works fine, I have made a few ldapsearch and got > result I was expecting. > > Now I want to add TLS to it for security reason. > > I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s > built with gnutls which I don’t know much about I would have > preferred it to be built with openssl. > > So Im trying to make TLS work so I added these to slapd.conf > > TLSCipherSuite HIGH:!NULL > TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls > TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem > TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem > TLSVerifyClient never > security ssf=128 > > I also used certtool (gnutls tool) to validate my certificate > > I can verify my certificate_chain.cer.pem.gnutls with certtool so the > file in itself is okay. > > certtool -e --infile certificate_chain.cer.pem.gnutls > Loaded 2 certificates, 1 CAs and 0 CRLs > > Subject: C=CA,ST=Quebec,O=Promutuel > CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: > C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel > HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel > CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The > certificate is trusted. > > Chain verification output: Verified. The certificate is trusted. > > I can also verify the whole chain if I make a file containing the 3 > certs, CA, Intermediate and Server > > certtool -e --infile full_chain.pem --verify-hostname > p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1 Loaded 3 > certificates, 1 CAs and 0 CRLs > > Subject: C=CA,ST=Quebec,O=Promutuel > CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: > C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel > HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel > CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The > certificate is trusted. > > Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel > CES,OU=Operations,CN=p01ldp5001.services.local Issuer: > C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS > Intermediate CA 1 Checked against: C=CA,ST=Quebec,O=Promutuel > CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Output: > Verified. The certificate is trusted. > > Chain verification output: Verified. The certificate is trusted. > > Yet when I try to start the server I get this error > > main: TLS init def ctx failed: -1 > > Can someone help me with this? man slapd.conf(5), search for TLS Options for GnuTLS, in particular TLSCipherSuite options. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
