Home Forums OS X Server and Client Discussion Open Directory LDAP SSL

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • October 30, 2005 at 3:08 am #363854
    vagabond
    Participant

    I just promoted a server from Standalone to OD Master. Everything seems to be ticking along quite nicely (Kerberos is running, etc). However, when I try to enable SSL using a self-signed cert, the LDAP server (and only the LDAP server) stops. Looking the the LDAP log shows:
    [QUOTE] slapd[573]: main: TLS init def ctx failed: -1 [/QUOTE]

    The certificate already works for both Mail and Web. It was made using the SA GUI, is 2048 bits long and has a password. The server is running 10.4.2 and has been rebooted since promotion from Standalone to OD Master.

    Anyone have ideas on how to get LDAP SSL running?

    October 30, 2005 at 5:44 am #363855
    vagabond
    Participant

    Wouldn’t you know it-after looking for several hours for answers, I post a question and then find the answer myself within an hour of the post.

    Apparently, LDAP still has issues with passwords attached to certificates (as described here). So, to get this working, I did the following (I haven’t modified locations/names from what SA creates):

    cd /etc/certificates
sudo openssl rsa -in my.server.com.key -out my.server.com.no.key

    Then, in Server Admin I checked the SSL box for LDAP and chose “Custom Configuration” with the following settings (again, locations are defaults):
    Certificate: /etc/certificates/my.server.com.crt
    SSL Key: /etc/certificates/my.server.com.no.key
    CA Certificate: /etc/certificates/my.server.com.crtkey

    The one that took me a second to figure out was the CA Certificate, since I had used SA to make the certificate to begin with and had no idea what the CA files were called.

    November 2, 2005 at 2:54 am #363894
    vagabond
    Participant

    Mail and Apache were both working fine with the password attached, only LDAP seemed to have a problem with it. One thing I didn’t try was using a custom configuration to select the password-protected certificate by hand and entering in the password manually (there is an option for that now).

    This is one of thsoe things where I don’t really know the why, just that LDAP works now. On a production server, that’s good enough for me Smile

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.