[Techtalk] debian slapd and gnutls
Maria McKinley
maria at shadlen.org
Wed Apr 1 08:49:02 UTC 2009
Linda de Boer wrote:
> Maria McKinley wrote:
>> I have been trying to get ldap to work with tls for a while, and have
>> been having a hard time. When I have the certificate info in slapd.conf,
>> slapd refuses to start, giving me the error:
>>
>> main: TLS init def ctx failed: -1
>>
<snipped>
Sorry, a little slow getting back on this.
>>
> G'day
>
> The following is a "hitlist" I used to give one fellow working on
> Samab/LDAP servers to help debug tls. Usually one of them gave us a good
> hint as to what was going on. Hopefully this will help.
>
>
> netstat -a |grep LISTEN
> - if you see both port 389 (ldap) as well as port 636 (ldaps) it
> is running.
>
not using ldaps, just trying to use tls over ldap. when ldap is running,
it is listening on port 389 as expected
> openssl s_client -connect localhost:636 -showcerts
> - basically tests the ssl connection and certs
>
test:~# openssl s_client -connect localhost:389 -showcerts
CONNECTED(00000003)
13751:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
doesn't work on 636, since I'm not running ldaps. I've tried searching
on this error message, but haven't found anything that is helpful.
>
> getent passwd - should show you both the /etc/passwd and ldap users if
> everything is running okay.
>
works as expected
> - To start the ldap logging, which uses the syslog facility. Add the
> following line to /etc/syslog.conf. Put in a comment for future ref.
>
> # LDAP logging entry
> local4.* /var/log/ldap.log
> slapd -f slapd.conf -d2047 -h "ldap:/// ldaps:///"
> ldapsearch -H ldaps://localhost -b "cn=DavidB,dc=hudson,dc=com"
> "(objectclass=*)"
>
increased logging doesn't seem to give more relevant info, but have
published the messages, just in case:
http://www.shadlen.org/~maria/pmwiki/Work/Error-log
> # only if using ssl
> openssl s_client -connect localhost:636 -state -CAfile
> /etc/pki/tls/certs/openldap/ca-bundle.crt | les
> s
>
same error as above.
test:~# openssl s_client -connect localhost:389 -state -CAfile
/etc/ssl/certs/ca-certificates.crt | less
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
13762:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
> ldapsearch -Z -v -x -h localhost -b
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub "objectclass=*
> "
ldap_initialize( ldap://localhost )
ldap_start_tls: Protocol error (2)
not surprising since tls isn't starting...
>
>
> # simple search
> - use of the ldapsearch "-x" option is to use "simple bind" LDAP v2 does
> not support SASL. You need to
> use a simple bind with TLS or IPSEC in place for security.
> #The following command will display everything in the LDAP directory
> currently.
> ldapsearch -v -x -h localhost -b
> "dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub "objectclass=*"
> ldapsearch -v -x -h localhost -D
> "cn=Manager,dc=ldapsrv,dc=in,dc=localdomain,dc=local" -s sub "obje
> ctclass=*" -W
>
>
I tried re-creating the certificates with the certtools from gnutls, but
still no love. It is so frustrating. There are no instructions for ldap
with gnutls, googling just provides a bunch of bug reports, and another
person complaining:
http://rustykruffle.com/tech-stuff/ubuntu/ultimate-home-server-ldap-gnutls-nightmare/
blah,
maria
More information about the Techtalk
mailing list