Re: slapd + TLS Problem.

Sun, 14 Jun 2009 19:51:13 -0700 

Alessandro Baggi wrote:
<div class="moz-text-flowed" style="font-family: -moz-fixed">Hi there. I've problem setting up SLAPD + TLS and libnss-ldap. When I try to get the passwd entry with getent passwd I get the following error: 

TLS: can't accept: A record packet with illegal version was received..
connection_read(13): TLS accept failure error=-1 id=18, closing


This is a certificate problem or libnss-ldap configuration problem? I've 
also tested slapd and tls with gnutls-cli and openssl s_client and they 
complete test successfully. I've also tested my certificate with openssl 
verify, and also this test has been completed successfully. My 
nsswitch.conf is configured with files and ldap.


Then, i've created my certificate with the following command:


# /usr/lib/ssl/misc/CA.pl -newca                   /* to create the ca 
certificate and key*/



# openssl req -newkey rsa:1024 -nodes -keyout key.pem -out 
newreq.pem                 /*for server/client certificate building and 
sing*/

# /usr/lib/ssl/misc/CA.pl -sign


There's something that is wrong in certificate creation?

This is my libnss-ldap.conf configuration (only TLS and port parameters ):

uri ldap://PDC
port 389
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/certlibnss/cacert.cert
tls_ciphers TLSv1
tls_cert /etc/certlibnss/nsscert.pem
tls_key /etc/certlibnss/nsskey.pem


Openldap Util work fine with slapd and TLS but on ldaps port (636).
This is a bug or a mismatch configuration?


Thanks in advance.
</div>



I'm afraid this is not much help, but wanted to let you know you are not 
alone. I struggled with problems with slapd and tls with lenny for quite 
some time, and I finally decided that tls with openldap in debian is 
still buggy, and gave up, planning on trying again in a month or so. It 
seems the problem is something to do with debian switching from openssl 
to guntls-cli, as things worked fine when debian was still using 
openssl. With luck though, we both have something trivially wrong with 
our configs, and someone else will chime in with an actual solution...


cheers,
maria


--

To UNSUBSCRIBE, email to [email protected] 
with a subject of "unsubscribe". Trouble? Contact [email protected]
























					Reply via email to