Are you sure that problem is not related to something simple as file permissions on private key for server certificate? Because that is only an last time when I had problems with openldap and certificates. gnutls doesn't support TLS_CACERTDIR option, that is setting TLSCACertificatePath in slapd.conf. That means that CA certificates must reside in single file. update-ca-certificates can create that file for you. As far as I know that is main difference between using one or the other. Try stoping slapd, put certificate information in config file, and start slapd manualy with debugging "slapd -u openldap -g openldap -h ldapi:/// -d255". Are there more indicative error messages?
gp On Fri, Mar 27, 2009 at 1:56 AM, Maria McKinley <ma...@shadlen.org> wrote: > I have been trying to get ldap to work with tls for a while, and have been > having a hard time. When I have the certificate info in slapd.conf, slapd > refuses to start, giving me the error: > > main: TLS init def ctx failed: -1 > > With the certificate lines commented out, slapd starts with no problem, of > course. I've done a bunch of poking about, and the problem seems to be > related to the change in the way slapd is built in debian. With Lenny, > debian slapd is built with libgnutls instead of openssl. Unfortunately, all > of the instructions I can find for setting up certificates for debian slapd > use openssl. How do I get certificates made with openssl to work with slapd > now that it is build with libgnutls, or is there another way to make > certificates now? And how do I verify that my certificates are built > correctly using libgnutls? It seems to be set up correctly, but I'm not sure > how to test the certificates themselves: > > test:/etc/ssl/certs# gnutls-cli -l :High > Cipher suites: > TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 > SSL3.0 > TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b > SSL3.0 > TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 > SSL3.0 > TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a > SSL3.0 > TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 > TLS1.0 > TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 > TLS1.0 > TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a > TLS1.0 > TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b > TLS1.0 > TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c > TLS1.0 > TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d > TLS1.0 > TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e > TLS1.0 > TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f > TLS1.0 > TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 > TLS1.0 > TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 > TLS1.0 > TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a > TLS1.0 > TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d > TLS1.0 > TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 > TLS1.0 > TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c > TLS1.0 > TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b > TLS1.0 > TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f > TLS1.0 > TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e > TLS1.0 > TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 > TLS1.0 > TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 > TLS1.0 > TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 > TLS1.0 > TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 > SSL3.0 > TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 > SSL3.0 > TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 > SSL3.0 > TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 > TLS1.0 > TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 > TLS1.0 > TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 > SSL3.0 > TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 > SSL3.0 > TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 > SSL3.0 > TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 > TLS1.0 > TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 > TLS1.0 > TLS_RSA_NULL_MD5 0x00, 0x01 > SSL3.0 > TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 > SSL3.0 > TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 > SSL3.0 > TLS_RSA_ARCFOUR_MD5 0x00, 0x04 > SSL3.0 > TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a > SSL3.0 > TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f > SSL3.0 > TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 > SSL3.0 > TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 > TLS1.0 > TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 > TLS1.0 > Certificate types: X.509, OPENPGP > Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 > Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, > ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL > MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL > Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, > SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK > Compression: DEFLATE, NULL > > > Thank you, > maria > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject > of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > >
