Thanks Rosenberg for your suggestions. The issue was with wrong path mentioned for certificate files. Without commenting the TLSCipherSuite HIGH:MEDIUM:+SSLv2 line, also I could start slapd
-----Original Message----- From: E.S. Rosenberg [mailto:[email protected]] Sent: Thursday, August 04, 2011 10:06 PM To: Naga Chaitanya Palle Cc: [email protected] Subject: Re: TLS issue 2011/8/4 Naga Chaitanya Palle <[email protected]>: > Hi, > > > > I am trying to configure tls for my ldap server. > > After successfully creating the below files, I try to start the ldap server > and it fails. > > > > /etc/openldap/cacerts/cacert.pem > > /etc/openldap/cacerts/slapd-cert.pem > > /etc/openldap/cacerts/slapd-key.pem > > > > The log shows the below messages > > > > main: TLS init def ctx failed: -1 > > slapd stopped. > > connections_destroy: nothing to destry. > > > > Slapd.conf > > > > TLSCipherSuite HIGH:MEDIUM:+SSLv2 Try removing this line, if I'm not mistaken it's according to openssl syntax while openldap is (usually) compiled against gnu-tls which uses a different syntax. Also SSLv2 is generally not considered secure so unless you have some apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn SSLv2 of. > > TLSCACertificateFile /etc/openldap/cacerts/cacert.pem > > TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem > > TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem Are your certs self-signed or from a CA? Did you make sure that the private key cert (and the other certs too?) are not stored encrypted (-nodes switch in openssl). > > > > database bdb > > suffix "dc=comverse-in,dc=com" > > rootdn "cn=Manager,dc=comverse-in,dc=com" > > rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr You may want to change your password since you have posted the hash (and also your domain) it is now possible to start brute forcing (or use rainbow tables) the hash and since the domain where this hash was used is known (and at least the LDAP username) that is a big security leak. Other than that version info and debug info (as Dan asks) is always good to provide when you have a question. Regards, Eli > > > > /etc/openldap/ldap.conf > > BASE dc=comverse-in,dc=com > > URI ldaps://devonly144.comverse-in.com > > > > TLS_CACERT /etc/openldap/cacerts/cacert.pem > > TLS_CACERTDIR /etc/openldap/cacerts > > TLS_REQCERT allow > > > > /etc/ldap.conf > > base dc=comverse-in,dc=com > > uri ldaps://devonly144.comverse-in.com > > ssl on > > > > Thanks and Regards, > > Naga chaitanya > > =============================================================================== > Please refer to http://www.aricent.com/legal/email_disclaimer.html > for important disclosures regarding this electronic communication. > =============================================================================== > =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
