Certificates - openLDAP on Debian ?

William Muriithi william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Dec 23 17:24:20 UTC 2011 

Hi pal,

I have been trying to enable ldaps on openLDAP running on Debian and
its proving impossible because openLDAP is compiled against gnutls and
it apparently do not work well with openSSL generated certificate.  I
have a wild card certificate bought from GeoCert and I was planning to
use it, so generating a certificate using gnutls does not sound like a
viable option, since GeoCert will not reissue it

Have someone here managed to go around this problem?  This is the
error I am getting when I try restarting openLDAP with LDAPS activated

tionContext ) )
Dec 23 16:48:07 enigma slapd[3507]: main: TLS init def ctx failed: -1
Dec 23 16:48:07 enigma slapd[3507]: slapd destroy: freeing system resources.
Dec 23 16:48:07 enigma slapd[3507]: syncinfo_free: rid=226
Dec 23 16:48:07 enigma slapd[3507]: slapd stopped.
Dec 23 16:48:07 enigma slapd[3507]: connections_destroy: nothing to destroy.
root at enigma:~# vi /etc/ldap/slapd.d/cn\=config.ldif

The same setup on redhat Enterprise 6 works fine.

The pertinent configuration file looks like this

root at enigma:~# cat /tmp/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: f8f83668-bf9d-1030-9487-37e3f5733c9d
creatorsName: cn=config
createTimestamp: 20111220213316Z
olcLogLevel: -1
olcTLSCACertificateFile: /etc/ssl/certs/GeoCert.int.pem
olcTLSCertificateFile: /etc/ssl/certs/example.pem
olcTLSCertificateKeyFile: /etc/ssl/private/example.key
entryCSN: 20111222165552.851957Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20111222165552Z


root at enigma:~# ldd /usr/sbin/slapd
	linux-vdso.so.1 =>  (0x00007fff548b9000)
	libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007fafd2eed000)
	liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007fafd2cdf000)
	libdb-4.7.so => /usr/lib/libdb-4.7.so (0x00007fafd297c000)
	libodbc.so.1 => /usr/lib/libodbc.so.1 (0x00007fafd271b000)
	libslp.so.1 => /usr/lib/libslp.so.1 (0x00007fafd250a000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007fafd22ef000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007fafd20bb000)
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007fafd1e19000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fafd1bdf000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x00007fafd19c6000)
	libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007fafd17bc000)
	libwrap.so.0 => /lib/libwrap.so.0 (0x00007fafd15b0000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007fafd1393000)
	libc.so.6 => /lib/libc.so.6 (0x00007fafd1010000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x00007fafd0df5000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007fafd0bf1000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007fafd092d000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007fafd0706000)
	libcom_err.so.2 => /lib/libcom_err.so.2 (0x00007fafd0502000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007fafd02fa000)
	libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00007fafd00f6000)
	libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007fafcfee5000)
	libz.so.1 => /lib/libz.so.1 (0x00007fafcfcce000)
	libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007fafcfa55000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fafd34c9000)
	libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007fafcf851000)


dpkg -l libgnutls26
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                   Version
           Description
+++-======================================-======================================-============================================================================================
ii  libgnutls26                            2.8.5-2
           the GNU TLS library - runtime library



root at enigma:~# cat /etc/issue
Ubuntu 10.04.2 LTS \n \l

root at enigma:~# dpkg -l slapd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                   Version
           Description
+++-======================================-======================================-============================================================================================
ii  slapd                                  2.4.21-0ubuntu5.6
           OpenLDAP server (slapd)

Happy holidays and thanks a lot in advance

William
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list