LDAP SSL

[vagabond]

I just promoted a server from Standalone to OD Master. Everything seems to be ticking along quite nicely (Kerberos is running, etc). However, when I try to enable SSL using a self-signed cert, the LDAP server (and only the LDAP server) stops. Looking the the LDAP log shows:
[QUOTE] slapd[573]: main: TLS init def ctx failed: -1 [/QUOTE]

The certificate already works for both Mail and Web. It was made using the SA GUI, is 2048 bits long and has a password. The server is running 10.4.2 and has been rebooted since promotion from Standalone to OD Master.

Anyone have ideas on how to get LDAP SSL running?

[vagabond]

Wouldn’t you know it-after looking for several hours for answers, I post a question and then find the answer myself within an hour of the post.

Apparently, LDAP still has issues with passwords attached to certificates (as described here). So, to get this working, I did the following (I haven’t modified locations/names from what SA creates):

cd /etc/certificates
sudo openssl rsa -in my.server.com.key -out my.server.com.no.key

Then, in Server Admin I checked the SSL box for LDAP and chose “Custom Configuration” with the following settings (again, locations are defaults):
Certificate: /etc/certificates/my.server.com.crt
SSL Key: /etc/certificates/my.server.com.no.key
CA Certificate: /etc/certificates/my.server.com.crtkey

The one that took me a second to figure out was the CA Certificate, since I had used SA to make the certificate to begin with and had no idea what the CA files were called.

[vagabond]

Mail and Apache were both working fine with the password attached, only LDAP seemed to have a problem with it. One thing I didn’t try was using a custom configuration to select the password-protected certificate by hand and entering in the password manually (there is an option for that now).

This is one of thsoe things where I don’t really know the why, just that LDAP works now. On a production server, that’s good enough for me

[Author]

Posts