problems with LDAP TLS and nss_ldap on 5.2.1

mkes_at_ra.rockwell.com
Date: 06/08/04

  • Next message: Joan Picanyol i Puig: "Re: Boot GUI / Boot data and process / Fragmentation" 
    To: freebsd-questions@FreeBSD.org
Date: Tue, 8 Jun 2004 13:26:58 +0200

    I have upgraded our LDAP server to 5.2.1Release running openldap-2.1.30
    server/client + pam_ldap-1.6.9 + nss_ldap-1.204_5. The previous
    configuration (openldap20-2.0.25_4 + nss_ldap-1.204_1 + pam_ldap-1.6.1)
    was runing OK on FreeBSD 5.1R

    After the upgrade I have 2 major problems.

    1) I'm not able to make the ldap server to work with TLS.
    The previous installation worked fine but I haven't properly backed up TLS
    certificates and I had to generate them again using the approach described
    at http://www.openldap.org/faq/data/cache/185.html
    As soon as I add these TLS options to the slapd.conf:

    # TLS options for slapd
    TLSCipherSuite HIGH:MEDIUM:+SSLv2
    TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
    TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
    TLSCertificateKeyFile /usr/local/etc/openldap/servercrt.pem

    ... running "/etc/rc.d/slapd start" doesn't even start the server but
    doesn't complain either. So I have no clue what's going wrong and right
    now I have to run the server without TLS.

    2) The second problem is with nss_ldap.
    I have installed the server first, loaded data to the directory, tried
    some searches etc. Everything worked OK (except for the TLS). Nomaly, the
    startup of the server takes about 1 second. As soon as I install nss_ldap
    (in the very moment I run make install on that port) the startup time of
    the ldap server slows down to 30+ seconds and I also experienced cases
    when it didn't start at all. If I deinstall the nss_ldap the server
    startup is quick again.

    Any ideas of what can be wrong in either case would be really welcome.

    Thanks

    Mira
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Joan Picanyol i Puig: "Re: Boot GUI / Boot data and process / Fragmentation"

    Relevant Pages

    • Re: TLS
      ... On the receive side, once you install the certificate, it is ... A client connecting to your server may use it but is not required. ... On the sending side, once you enable the "use TLS" setting, ... The procedure involves "installing" a certificate on the receiving side. ...
      (microsoft.public.exchange.connectivity)
    • RE: 802.1x and PEAP
      ... I disagree with your comment about TKIP and MIC being proprietary. ... Broadcast key rotation can only be done with an authentication server. ... > the TLS - thus providing the necessary security. ... > protected by the TLS session or a protected error. ...
      (Security-Basics)
    • TLS secure connection to an LDAP server
      ... I am trying to secure connections to my ldap server by ... I created a certificate for my server. ... verification was OK (openssl verify -CAfile ... TLS trace: SSL_accept:error in SSLv3 read client ...
      (SSH)
    • RE: 802.1x and PEAP
      ... Broadcast key rotation can only be done with an authentication server. ... IOS a different vendors card will not work with TKIP and MIC, ... > protected by the TLS session or a protected error ...
      (Security-Basics)
    • Re: radtest ok, xsupplicant fails (was : Problem compiling Freeradius on RH 9.0)
      ... The radius server compiles and installs now, ... tls: rsa_key_exchange = no ... Module: Loaded preprocess ... Module: Loaded radutmp ...
      (comp.os.linux.misc)