[Techtalk] debian slapd and gnutls

Maria McKinley maria at shadlen.org
Wed Apr 1 08:49:02 UTC 2009


Linda de Boer wrote:
> Maria McKinley wrote:
>> I have been trying to get ldap to work with tls for a while, and have 
>> been having a hard time. When I have the certificate info in slapd.conf, 
>> slapd refuses to start, giving me the error:
>>
>> main: TLS init def ctx failed: -1
>>
<snipped>

Sorry, a little slow getting back on this.

>>
> G'day
> 
> The following is a "hitlist" I used to give one fellow working on 
> Samab/LDAP servers to help debug tls. Usually one of them gave us a good 
> hint as to what was going on. Hopefully this will help.
> 
> 
> netstat -a |grep LISTEN
>      - if you see both port 389 (ldap) as well as port 636 (ldaps) it
>        is running.
> 

not using ldaps, just trying to use tls over ldap. when ldap is running, 
it is listening on port 389 as expected

> openssl s_client -connect localhost:636 -showcerts
>      - basically tests the ssl connection and certs
> 

test:~# openssl s_client -connect localhost:389 -showcerts
CONNECTED(00000003)
13751:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

doesn't work on 636, since I'm not running ldaps. I've tried searching 
on this error message, but haven't found anything that is helpful.

> 
> getent passwd - should show you both the /etc/passwd and ldap users if
>                  everything is running okay.
> 

works as expected

> - To start the ldap logging, which uses the syslog facility. Add the
> following line to /etc/syslog.conf. Put in a comment for future ref.
> 
> # LDAP logging entry
> local4.*     /var/log/ldap.log
> slapd -f slapd.conf -d2047 -h "ldap:/// ldaps:///"
> ldapsearch -H ldaps://localhost -b "cn=DavidB,dc=hudson,dc=com" 
> "(objectclass=*)"
> 
increased logging doesn't seem to give more relevant info, but have 
published the messages, just in case:

http://www.shadlen.org/~maria/pmwiki/Work/Error-log

> # only if using ssl
> openssl s_client -connect localhost:636 -state -CAfile 
> /etc/pki/tls/certs/openldap/ca-bundle.crt | les
> s
> 
same error as above.

test:~# openssl s_client -connect localhost:389 -state -CAfile 
/etc/ssl/certs/ca-certificates.crt | less
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
13762:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

> ldapsearch -Z -v -x  -h localhost -b 
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "objectclass=*
> "

ldap_initialize( ldap://localhost )
ldap_start_tls: Protocol error (2)
not surprising since tls isn't starting...

> 
> 
> # simple search
> - use of the ldapsearch "-x" option is to use "simple bind" LDAP v2 does 
> not support SASL. You need to
>   use a simple bind with TLS or IPSEC in place for security.
> #The following command will display everything in the LDAP directory 
> currently.
> ldapsearch -v -x  -h localhost  -b 
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "objectclass=*"
> ldapsearch -v -x  -h localhost  -D 
> "cn=Manager,dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub  "obje
> ctclass=*" -W
> 
> 

I tried re-creating the certificates with the certtools from gnutls, but 
still no love. It is so frustrating. There are no instructions for ldap 
with gnutls, googling just provides a bunch of bug reports, and another 
person complaining: 
http://rustykruffle.com/tech-stuff/ubuntu/ultimate-home-server-ldap-gnutls-nightmare/

blah,
maria


More information about the Techtalk mailing list