# trouble integrating TLS in OpenLDAP



## bluethundr (Sep 13, 2010)

Hey FreeBSD

 I'm building out my lovely FreeBSD box into an OpenLDAP server. So far, it seems to be working fine and I am populating the directory with data. And all the slap and ldap toos (like ldapvi and others) are working. 

 However, when I try to integrate TLS security slapd won't restart.

 Here's the relevant part of my slapd.conf that deals with TLS. Let me know if you would like to see more of it, but really this only stops working when I uncomment these lines relating to TLS:


```
## Added logging parameters

loglevel        296
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

## TLS options for slapd
TLSCipherSuite   HIGH
TLSCertificateFile  /etc/local/slapd-cert.pem
TLSCertificateKeyFile /etc/local/slapd-key.pem
```

As far as I know, my keys seem ok with appropriate permissions:


```
[root@LBSD2:/etc/local]#ls -al
total 10
drwxr-xr-x   2 root  wheel   512 Sep 13 04:44 .
drwxr-xr-x  21 root  wheel  2560 Sep 13 04:41 ..
-rw-------   1 root  wheel  1371 Sep 13 04:44 slapd-cert.pem
-rw-------   1 root  wheel   887 Sep 13 01:31 slapd-key.pem
```


And when I go to restart slapd this is what happens...


```
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 11015.
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```


And this happens in /var/log/messages:


```
Sep 13 21:26:07 LBSD2 su: bluethundr to root on /dev/pts/4
Sep 13 21:29:35 LBSD2 bluethundr: /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```


And it looks like I had compiled with Cyrus SASL support.


```
â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”
                                               â”‚             Options for openldap-sasl-server 2.4.23                â”‚  
                                               â”‚ â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â” â”‚  
                                               â”‚ â”‚ [X] SASL              With (Cyrus) SASL2 support               â”‚ â”‚  
                                               â”‚ â”‚ [X] FETCH             Enable fetch(3) support                  â”‚ â”‚  
                                               â”‚ â”‚ [ ] DYNACL            Run-time loadable ACL (experimental)     â”‚ â”‚  
                                               â”‚ â”‚ [ ] ACI               Per-object ACI (experimental)            â”‚ â”‚  
                                               â”‚ â”‚ [X] DNSSRV            With Dnssrv backend                      â”‚ â”‚  
                                               â”‚ â”‚ [ ] PASSWD            With Passwd backend                      â”‚ â”‚  
                                               â”‚ â”‚ [X] PERL              With Perl backend                        â”‚ â”‚  
                                               â”‚ â”‚ [ ] RELAY             With Relay backend                       â”‚ â”‚  
                                               â”‚ â”‚ [ ] SHELL             With Shell backend (disables threading)  â”‚ â”‚  
                                               â”‚ â”‚ [ ] SOCK              With Sock backend                        â”‚ â”‚  
                                               â”‚ â”‚ [ ] ODBC              With SQL backend                         â”‚ â”‚  
                                               â”‚ â”‚ [ ] RLOOKUPS          With reverse lookups of client hostnames â”‚ â”‚  
                                               â”‚ â”‚ [ ] SLP               With SLPv2 (RFC 2608) support            â”‚ â”‚  
                                               â”‚ â”‚ [ ] SLAPI             With Netscape SLAPI plugin API           â”‚ â”‚  
                                               â”‚ â”‚ [X] TCP_WRAPPERS      With tcp wrapper support                 â”‚ â”‚  
                                               â”œâ”€â””â”€â”€â”€â”€â”€v(+)â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜â”€â”¤  
                                               â”‚                       [  OK  ]       Cancel                        â”‚  
                                               â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜
```


All it takes to get this to work again is to comment out the lines relating to TLS in my slapd.conf


```
## Added logging parameters

loglevel        296
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

## TLS options for slapd
#TLSCipherSuite   HIGH
#TLSCertificateFile  /etc/local/slapd-cert.pem
#TLSCertificateKeyFile /etc/local/slapd-key.pem
```

As you can see:


```
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd start 
Starting slapd.
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd status
slapd is running as pid 13617.
```

OpenLDAP is perfectly happy as long as TLS encryption is not enabled. 

Does anyone have any experience and insight to offer in getting this to work?

Thanks!


----------



## aragon (Sep 13, 2010)

```
cd /etc/local && chgrp slapd slapd*.pem && chmod g+r slapd*.pem
```


----------



## bluethundr (Sep 14, 2010)

*TLS slapd still not starting*

Hi and thanks for your input. 

Well I tried to add those files to the slapd group, however I found that the group didn't exist. 

so I:


```
pw groupadd slapd
```

And then I changed the modes and added the files to the slapd group with the command that you suggested. 

Now the directory looks like this:


```
[root@LBSD2:/etc/local]#ls -lah
total 20
drwxr-xr-x   2 root  wheel   512B Sep 13 04:44 .
drwxr-xr-x  21 root  wheel   2.5K Sep 14 01:21 ..
-rw-r-----   1 root  slapd   1.3K Sep 13 04:44 slapd-cert.pem
-rw-r-----   1 root  slapd   887B Sep 13 01:31 slapd-key.pem
```

But slapd still fails to start with TLS enabled:


```
[root@LBSD2:/etc/local]#/usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```
  x(

With the TLS options commented out like before, slapd starts:


```
## TLS options for slapd
#TLSCipherSuite   HIGH
#TLSCertificateFile  /etc/local/slapd-cert.pem
#TLSCertificateKeyFile /etc/local/slapd-key.pem

## Misc Security Settings
"slapd.conf" 84 lines, 2822 characters written
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd start
Starting slapd.
```

Again, I appreciate the suggestion, but I am afraid that TLS is still not happening.


----------



## aragon (Sep 14, 2010)

bluethundr said:
			
		

> Well I tried to add those files to the slapd group, however I found that the group didn't exist.


The OpenLDAP port is supposed to create that and the slapd user when you install it.  Better check why that's not the case, and check what user openldap is running as...


----------

