Quanah Gibson-Mount wrote:
Have you verified whether or not you can connect using LDAPS via the
command line tools? (ldapsearch, ldapwhoami, etc).
Yes I did:
$ ldapsearch -H ldaps://localhost:636/ -X cn=admin
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
The relevant line in /etc/default/slapd:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"
And the relevant lines in /etc/ldap/slapd.conf:
TLSCertificateFile /etc/ssl/private/mykey.crt
TLSCertificateKeyFile /etc/ssl/private/mykey.key
# original cipher suite string
#TLSCipherSuite HIGH:-SSLv2:-RSA
# cipher suite string as used before with OpenSSL
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
# all cipher suites as currently supported by gnutls,
# constructed using command:
# gnutls-cli -l | grep -E "^TLS" | cut -d\ -f1 | xargs echo
TLSCipherSuite TLS_ANON_DH_ARCFOUR_MD5 TLS_ANON_DH_3DES_EDE_CBC_SHA1
TLS_ANON_DH_AES_128_CBC_SHA1 TLS_ANON_DH_AES_256_CBC_SHA1
TLS_PSK_SHA_ARCFOUR_SHA1 TLS_PSK_SHA_3DES_EDE_CBC_SHA1
TLS_PSK_SHA_AES_128_CBC_SHA1 TLS_PSK_SHA_AES_256_CBC_SHA1
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_AES_128_CBC_SHA1
TLS_SRP_SHA_AES_256_CBC_SHA1 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 TLS_DHE_DSS_ARCFOUR_SHA1
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 TLS_DHE_DSS_AES_128_CBC_SHA1
TLS_DHE_DSS_AES_256_CBC_SHA1 TLS_DHE_RSA_3DES_EDE_CBC_SHA1
TLS_DHE_RSA_AES_128_CBC_SHA1 TLS_DHE_RSA_AES_256_CBC_SHA1
TLS_RSA_NULL_MD5 TLS_RSA_EXPORT_ARCFOUR_40_MD5 TLS_RSA_ARCFOUR_SHA1
TLS_RSA_ARCFOUR_MD5 TLS_RSA_3DES_EDE_CBC_SHA1 TLS_RSA_AES_128_CBC_SHA1
TLS_RSA_AES_256_CBC_SHA1
Before, using OpenSSL, everything worked perfectly. Now, LDAPS is
completely broken.
Regards,
Timo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
