terry.lem...@dell.com wrote: > Hi > > I've followed the instructions in > https://www.openldap.org/doc/admin26/quickstart.html to deploy openldap 2.6.4 > on a SLES 15 SP4 system. Once I confirmed that this was working correctly, I > moved on to configure TLS, following the instructions in > https://www.openldap.org/doc/admin26/tls.html. When I try a connection to the > LDAPS port (636), I see the following: > > ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636
If you're going to use openssl s_client you also need to tell it which CA and/or server certs to trust. I'd start with using ldapsearch -d -1 instead. > CONNECTED(00000003) > 139702302594704:error:140790E5:SSL routines:ssl23_write:ssl handshake > failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 293 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1683823897 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > ldpdd040:~ # > > I'm using this command to start slapd: > /usr/local/libexec/slapd -F /usr/local/etc/slapd.d -s 3 -h "ldap:/// > ldaps:///" > > When I execute the openssl command above, I look in /var/log/messages and see: > > 2023-05-11T12:51:55.213884-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 > ACCEPT from IP=10.247.229.40:56844 (IP=0.0.0.0:636) > 2023-05-11T12:51:55.213944-04:00 ldpdd042 slapd[20101]: connection_get(12): > got connid=1000 > 2023-05-11T12:51:55.214004-04:00 ldpdd042 slapd[20101]: connection_read(12): > checking for input on id=1000 > 2023-05-11T12:51:55.214065-04:00 ldpdd042 slapd[20101]: connection_read(12): > TLS accept failure error=-1 id=1000, closing > 2023-05-11T12:51:55.214138-04:00 ldpdd042 slapd[20101]: connection_close: > conn=1000 sd=12 > 2023-05-11T12:51:55.214207-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 > closed (TLS negotiation failure) > ldpdd0 > > I've appended these lines to /usr/local/etc/openldap/slapd.conf: > > # Added TLS directives > # > TLSCACertificateFile /var/lib/ca-certificates/ca-bundle.pem > TLSCertificateFile /etc/ssl/private/server.cert > TLSCertificateKeyFile /etc/ssl/private/server.key > #TLSCipherSuite ALL > > I can't find any log information that helps me understand what the problem > is. I'm using a self-signed server certificate that has the cn using the FQDN > of the server. > > How can I debug this? > > Thanks! > tl > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
