From owner-freebsd-questions@FreeBSD.ORG  Sun Jan 27 09:50:06 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6968216A418
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Jan 2008 09:50:06 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 935C913C461
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Jan 2008 09:50:05 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m0R9nxlo016944; Sun, 27 Jan 2008 09:50:00 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.4.3 smtp.infracaninophile.co.uk m0R9nxlo016944
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1201427400; bh=4tJPhuIeuSaXtt
	ISntMH/Olrm18WKfOXvNjamLSWAmc=; h=Message-ID:Date:From:Organization:
	User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:
	X-Enigmail-Version:Content-Type:Content-Transfer-Encoding:Cc:
	Content-Type:Date:From:In-Reply-To:Message-ID:Mime-Version:
	References:To; z=Message-ID:=20<479C53C7.9000305@infracaninophile.
	co.uk>|Date:=20Sun,=2027=20Jan=202008=2009:49:59=20+0000|From:=20Ma
	tthew=20Seaman=20<m.seaman@infracaninophile.co.uk>|Organization:=20
	Infracaninophile|User-Agent:=20Thunderbird=202.0.0.9=20(X11/2008012
	2)|MIME-Version:=201.0|To:=20Dave=20<dmehler26@woh.rr.com>|CC:=20fr
	eebsd-questions@freebsd.org|Subject:=20Re:=20freebsd=20openldap=20s
	erver=20tls=20error|References:=20<002701c8608f$c0268980$0200a8c0@s
	atellite>|In-Reply-To:=20<002701c8608f$c0268980$0200a8c0@satellite>
	|X-Enigmail-Version:=200.95.0|Content-Type:=20text/plain=3B=20chars
	et=3Dwindows-1252|Content-Transfer-Encoding:=207bit; b=qJ/MnFoB6NSf
	5d/G3WY2B1cqfmlJ5QmPKBUxJSMBU8SUxx/0lPE4A935JraELiei0Ycm5AyQFNpM0Bk
	kaeITfY8Ao1sVPTYMEFb2XT1wQ/VBiU/Qzs4DbSaAeE3ImsAjznvvOVTDS6ZBjb8/OG
	X1kJly+lJBiALty4HDInYwKf4=
Message-ID: <479C53C7.9000305@infracaninophile.co.uk>
Date: Sun, 27 Jan 2008 09:49:59 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.9 (X11/20080122)
MIME-Version: 1.0
To: Dave <dmehler26@woh.rr.com>
References: <002701c8608f$c0268980$0200a8c0@satellite>
In-Reply-To: <002701c8608f$c0268980$0200a8c0@satellite>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Sun, 27 Jan 2008 09:50:00 +0000 (GMT)
X-Virus-Scanned: ClamAV 0.92/5572/Sun Jan 27 05:16:23 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: freebsd openldap server tls error
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jan 2008 09:50:06 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dave wrote:
> Hello,
>    I'm setting up a FreeBSD openldap server for authentication. When i
> added in tls parameters, the TLSCACertificateFile, TLSKeyFile, and
> TLSCertificateFile now i am getting the below error. I've checked
> permissions on the keys and they are globally readable. Any suggestions?
> Thanks.
> Dave.
> 
> Jan 26 21:48:38 ldap slapd[43560]: main: TLS init def ctx failed: -1

Setting up TLS with OpenLDAP is tricky.  Much trickier than it should
be IMHO.

Make sure the key file is *not* readable by other than the ldap process
and that it isn't in a world writable directory.

Use 'openssl s_client' to connect to the LDAPS port on your server and
produce better debugging hints.

Try asking on the openldap-software@OpenLDAP.org list for help: there are
a lot more people that understand OpenLDAP there than on this list.

	Cheers,

	Matthew

PS. If you want to use OpenLDAP as both client and server over TLS 
(eg. you're using syncrepl between a number of cloned OpenLDAP instances)
then you really do need superior skills.  OpenLDAP only understands
one key+cert, so you have to fiddle with the 'Netscape Cert Type' field
to make a cert that is usable for both client and server.  Fun!

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHnFPH8Mjk52CukIwRCMfzAJ9+R6/fmnwpc52uk5Pa56LpIYVGPgCfSHnd
Dyr6bs4kg378WoZZMA4AJU8=
=9TIg
-----END PGP SIGNATURE-----