ldap tls refusing to initialize
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Invalid
|
Low
|
Unassigned |
Bug Description
Binary package hint: libldap-2.4-2
Trying to run a slapd server in Ubuntu 9.04, generally following the docs at: https:/
It works fine until I try and use certificates as per the section TLS and SSL on that page.
Then, if I try and start using /etc/init.d/slapd it tells me to start using the debugging flags. If I then do so with the command:
sudo slapd -d -1 -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
At the end of copious output is:
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
This is with entries in /etc/ldap/
olcTLSCACertifi
olcTLSCertifica
olcTLSCertifica
If these entries are commented out, the server will start and work.
This occurs with a private key and certificate generated using both openssl and with the gnutls certtool.
Dependencies for slapd are:
ldd -v $(which slapd)
libslp.so.1 => /usr/lib/
libnsl.so.1 => /lib/tls/
libz.so.1 => /lib/libz.so.1 (0xb7aad000)
libdl.so.2 => /lib/tls/
libc.so.6 => /lib/tls/
Related packages installed:
gnutls-bin 2.4.2-6ubuntu0.1 gnutls26 install ok installed
gnutls-doc 2.4.2-6ubuntu0.1 gnutls26 install ok installed
ldap-utils 2.4.15-1ubuntu3 openldap install ok installed
libcurl3-gnutls 7.18.2-8ubuntu4.1 curl install ok installed
libgnutls26 2.4.2-6ubuntu0.1 gnutls26 install ok installed
libldap-2.4-2 2.4.15-1ubuntu3 openldap install ok installed
slapd 2.4.15-1ubuntu3 openldap install ok installed
It doesn't seem like this could be a problem with V1 certificates, since both the CA cert and the server cert have X.509 Certificate Information: Version: 3 (cf. https:/
Additionally they have Signature Algorithm: RSA-SHA.
I wonder if it is related to a cipher suite specification, given http://
I don't know how to get the more detailed information from TLS, I only see the 'main: TLS init def ctx failed: -1' line.
Is this another issue with the gnutls specifications? Or just something missing in the docs there for jaunty. Strikes me as a fairly important issue for ubuntu server.
Peter
Changed in openldap (Ubuntu): | |
status: | Invalid → New |
Changed in openldap (Ubuntu): | |
importance: | Undecided → Low |
On Fri, Aug 28, 2009 at 02:38:46AM -0000, PeterNSteinmetz wrote: slapd.d/ cn=config. ldif like: cateFile: /home/peter/ CA/server- ca-cert. pem teFile: /home/peter/ CA/server- gnutls- cert.pem teKeyFile: /home/peter/ CA/server- gnutls- key.pem
> At the end of copious output is:
>
> main: TLS init def ctx failed: -1
> slapd destroy: freeing system resources.
> slapd stopped.
>
> This is with entries in /etc/ldap/
>
> olcTLSCACertifi
> olcTLSCertifica
> olcTLSCertifica
>
You're using a non-standard location for your certificates. Thus slapd
apparmor profile needs to be updated.
See https:/ /wiki.ubuntu. com/DebuggingAp parmor for more information.
status invalid
-- www.ubuntu. com
Mathias Gug
Ubuntu Developer http://