somehow I am unable to configure slapd to enable ldaps support on Debian Lenny. It looks like OpenLDAP is compiled with GnuTLS instead of OpenSSL which could be part of the problem.
I've added the following options to slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA TLSCertificateFile /etc/ssl/certs/myhost.pem TLSCACertificatePath /etc/ssl/certs/ TLSCertificateKeyFile /etc/ssl/private/myhost.pem TLSVerifyClient never
and the following to ldap.conf:
URI ldap:/// ldaps:/// TLS_REQCERT never
The following error appears in the logs if I try to start slapd:
main: TLS init def ctx failed: -64
Could it be that the certificate, which has been generated by openssl, cannot be read by GnuTLS?
Has anyone of you configured OpenLDAP on Debian with ldaps support? If yes, any hints on how to get it to work would be very appreciated.
Thanks.
EDIT: found a working TLSCipherSuite.
Best Answer
The cipher names between Openssl and GnuTLS are not the same.
Example GnuTLS cipher:
To get a list of GnuTLS cipher names:
And make sure that the "cert" files are readable and owned by the openldap user. You could also add the openldap user to the ssl-cert group.