1

somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem.

I've added the following options to slapd.conf:

TLSCipherSuite TLS_RSA_AES_256_CBC_SHA
TLSCertificateFile /etc/ssl/certs/myhost.pem
TLSCACertificatePath /etc/ssl/certs/ 
TLSCertificateKeyFile /etc/ssl/private/myhost.pem
TLSVerifyClient never

and the following to ldap.conf:

URI         ldap:/// ldaps:///
TLS_REQCERT never

The following error appears in the logs if I try to start slapd:

main: TLS init def ctx failed: -64

Could it be that the certificate, which has been generated by openssl, cannot be read by GnuTLS?

Has anyone of you configured OpenLDAP on Debian with ldaps support? If yes, any hints on how to get it to work would be very appreciated.

Thanks.

EDIT: found a working TLSCipherSuite.

Haes
  • 123
  • 1
  • 7

3 Answers3

3

The cipher names between Openssl and GnuTLS are not the same.

Example GnuTLS cipher:

slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA

To get a list of GnuTLS cipher names:

$ gnutls-cli -l

And make sure that the "cert" files are readable and owned by the openldap user. You could also add the openldap user to the ssl-cert group.

rkthkr
  • 8,618
  • 28
  • 38
1

Problem solved.

The server key could only be read by root and group 'ssl-cert'. Therefore I added the user 'openldap' to the group 'ssl-cert' but somehow slapd couldn't read the server key anyway. I now copied the key and changed its ownership to 'openldap' and now it works.

Haes
  • 123
  • 1
  • 7
1

this could also be due to gnutls dropping support for md2 and md5 algorithms. see the release notes for gnutls on lenny.