terry.lemons@dell.com wrote: > Hi > > I've followed the instructions in > https://www.openldap.org/doc/admin26/quickstart.html > to deploy openldap 2.6.4 on a SLES 15 SP4 system. Once I confirmed that this > was working > correctly, I moved on to configure TLS, following the instructions in > https://www.openldap.org/doc/admin26/tls.html. When I try a connection to the > LDAPS port > (636), I see the following: > > ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 > CONNECTED(00000003) > 139702302594704:error:140790E5:SSL routines:ssl23_write:ssl handshake > failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 293 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1683823897 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > ldpdd040:~ # > > I'm using this command to start slapd: > /usr/local/libexec/slapd -F /usr/local/etc/slapd.d -s 3 -h "ldap:/// > ldaps:///" > > When I execute the openssl command above, I look in /var/log/messages and see: > > 2023-05-11T12:51:55.213884-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 > ACCEPT from > IP=10.247.229.40:56844 (IP=0.0.0.0:636) > 2023-05-11T12:51:55.213944-04:00 ldpdd042 slapd[20101]: connection_get(12): > got > connid=1000 > 2023-05-11T12:51:55.214004-04:00 ldpdd042 slapd[20101]: connection_read(12): > checking for > input on id=1000 > 2023-05-11T12:51:55.214065-04:00 ldpdd042 slapd[20101]: connection_read(12): > TLS accept > failure error=-1 id=1000, closing > 2023-05-11T12:51:55.214138-04:00 ldpdd042 slapd[20101]: connection_close: > conn=1000 sd=12 > 2023-05-11T12:51:55.214207-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 > closed (TLS > negotiation failure) > ldpdd0 > > I've appended these lines to /usr/local/etc/openldap/slapd.conf: > > # Added TLS directives > # > TLSCACertificateFile /var/lib/ca-certificates/ca-bundle.pem > TLSCertificateFile /etc/ssl/private/server.cert > TLSCertificateKeyFile /etc/ssl/private/server.key > #TLSCipherSuite ALL > > I can't find any log information that helps me understand what the problem > is. I'm > using a self-signed server certificate that has the cn using the FQDN of the > server. > > How can I debug this? > > Thanks! > tl
Hello list, if I understand the listed configuration correctly slapd is started with online config and the TLS information is configured in the static config file slapd.conf. Is this kind of mixed configuration valid or do the TLS information have to be configured in corresponding olc-Attributes in cn=config?
