[Techtalk] debian slapd and gnutls

Maria McKinley maria at shadlen.org
Wed Apr 1 08:49:02 UTC 2009

Linda de Boer wrote:
> Maria McKinley wrote:
>> I have been trying to get ldap to work with tls for a while, and have 
>> been having a hard time. When I have the certificate info in slapd.conf, 
>> slapd refuses to start, giving me the error:
>> main: TLS init def ctx failed: -1

Sorry, a little slow getting back on this.

> G'day
> The following is a "hitlist" I used to give one fellow working on 
> Samab/LDAP servers to help debug tls. Usually one of them gave us a good 
> hint as to what was going on. Hopefully this will help.
> netstat -a |grep LISTEN
>      - if you see both port 389 (ldap) as well as port 636 (ldaps) it
>        is running.

not using ldaps, just trying to use tls over ldap. when ldap is running, 
it is listening on port 389 as expected

> openssl s_client -connect localhost:636 -showcerts
>      - basically tests the ssl connection and certs

test:~# openssl s_client -connect localhost:389 -showcerts
13751:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 

doesn't work on 636, since I'm not running ldaps. I've tried searching 
on this error message, but haven't found anything that is helpful.

> getent passwd - should show you both the /etc/passwd and ldap users if
>                  everything is running okay.

works as expected

> - To start the ldap logging, which uses the syslog facility. Add the
> following line to /etc/syslog.conf. Put in a comment for future ref.
> # LDAP logging entry
> local4.*     /var/log/ldap.log
> slapd -f slapd.conf -d2047 -h "ldap:/// ldaps:///"
> ldapsearch -H ldaps://localhost -b "cn=DavidB,dc=hudson,dc=com" 
> "(objectclass=*)"
increased logging doesn't seem to give more relevant info, but have 
published the messages, just in case:


> # only if using ssl
> openssl s_client -connect localhost:636 -state -CAfile 
> /etc/pki/tls/certs/openldap/ca-bundle.crt | les
> s
same error as above.

test:~# openssl s_client -connect localhost:389 -state -CAfile 
/etc/ssl/certs/ca-certificates.crt | less
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
13762:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 

> ldapsearch -Z -v -x  -h localhost -b 
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "objectclass=*
> "

ldap_initialize( ldap://localhost )
ldap_start_tls: Protocol error (2)
not surprising since tls isn't starting...

> # simple search
> - use of the ldapsearch "-x" option is to use "simple bind" LDAP v2 does 
> not support SASL. You need to
>   use a simple bind with TLS or IPSEC in place for security.
> #The following command will display everything in the LDAP directory 
> currently.
> ldapsearch -v -x  -h localhost  -b 
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "objectclass=*"
> ldapsearch -v -x  -h localhost  -D 
> "cn=Manager,dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "obje
> ctclass=*" -W

I tried re-creating the certificates with the certtools from gnutls, but 
still no love. It is so frustrating. There are no instructions for ldap 
with gnutls, googling just provides a bunch of bug reports, and another 
person complaining: 


More information about the Techtalk mailing list