Comments on How to Install OpenLDAP Server and Client on Rocky Linux 9

I followed the same steps with same Domain Name (Only chnage in IP address of server) as sample. Howvere I am getting following error on SSL/TLS connection.

[root@ldap ldap-conf-sample]# ldapsearch -x -b dc=hwdomain,dc=lan -ZZ

ldap_start_tls: Connect error (-11)

        additional info: error:0A000410:SSL routines::sslv3 alert handshake failure

me too

how did you solved this problem,my os is rocky 9.2

any help?

[root@rocky1 ldap]# ldapsearch -x -b dc=ysdomain,dc=com -ZZ

ldap_start_tls: Connect error (-11)

additional info: error:0A000410:SSL routines::sslv3 alert handshake failure

my os is rocky 9.2

Hello, same here Rocky linux 9.2, there might be a problem when we create the certificate

attempting to connect:

connect success

TLS trace: SSL_connect:before SSL initialization

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL3 alert read:fatal:handshake failure

TLS trace: SSL_connect:error in error

TLS: can't connect: error:0A000410:SSL routines::sslv3 alert handshake failure.

ldap_err2string

ldap_sasl_interactive_bind: Can't contact LDAP server (-1)

        additional info: error:0A000410:SSL routines::sslv3 alert handshake failure

I got same error as others report below. I managed to get around this by following another page for the creation of the self signed certificate.

 [root@dlp ~]# vi /etc/ssl/openssl.cnf# add to the end# section name is any name you like# DNS:(this server's hostname)# if you set multiple hostname ot domainname, set them with comma separated# ? DNS:dlp.srv.world, DNS:www.srv.world[ srv.world ]subjectAltName = DNS:dlp.srv.world[root@dlp ~]# cd /etc/pki/tls/certs[root@dlp certs]# openssl genrsa -aes128 2048 > server.keyEnter PEM pass phrase:                  # set passphraseVerifying - Enter PEM pass phrase:      # confirm# remove passphrase from private key[root@dlp certs]# openssl rsa -in server.key -out server.keyEnter pass phrase for server.key:   # input passphrasewriting RSA key[root@dlp certs]# openssl req -utf8 -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:JP                           # country codeState or Province Name (full name) []:Hiroshima                # stateLocality Name (eg, city) [Default City]:Hiroshima              # cityOrganization Name (eg, company) [Default Company Ltd]:GTS      # companyOrganizational Unit Name (eg, section) []:Server World         # departmentCommon Name (eg, your name or your server's hostname) []:dlp.srv.world  # server's FQDNEmail Address []:[email protected]                                # admin email addressPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# create certificate with 10 years expiration date# -extensions (section name) ? the section name you set in [openssl.cnf][root@dlp certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions srv.world -days 3650Certificate request self-signature oksubject=C = JP, ST = Hiroshima, L = Hiroshima, O = GTS, OU = Server World, CN = dlp.srv.world, emailAddress = [email protected][root@dlp certs]# chmod 600 server.key[root@dlp certs]# ll server.*-rw-r--r--. 1 root root 1769 Apr 24 10:51 server.crt-rw-r--r--. 1 root root 1407 Apr 24 10:51 server.csr-rw-------. 1 root root 2484 Apr 24 10:51 server.key

 [root@dlp ~]# cp /etc/pki/tls/certs/{server.key,server.crt} /etc/openldap/certs/[root@dlp ~]# chown ldap:ldap /etc/openldap/certs/{server.key,server.crt}[root@dlp ~]# vi mod_ssl.ldif# create newdn: cn=configchangetype: modifyreplace: olcTLSCertificateFileolcTLSCertificateFile: /etc/openldap/certs/server.crt-replace: olcTLSCertificateKeyFileolcTLSCertificateKeyFile: /etc/openldap/certs/server.key[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "cn=config"The changes to ldap.conf are still required though.

The issue people are having with the SSL/TLS handshake failure is down to an error in the tld.ldif example file.  The blank lines between the different add: sections should actually have a single minus sign rather than being blank (the Wikipedia page on LDAP_Data_Interchange_Format confirms this).  The file, as provided, only adds the first item so when slapd looks for olcTLSCertificateKeyFile and olcTLSCertificateFile it can't find them.  You can confirm this by typing "slapcat -b cn=admin | grep TLS" which only returns the olcTLSCACertificateFile value.  Once the missing attributes are added, TLS works as expected.

[root@apoio ~]# cat tls.ldifdn: cn=configchangetype: modifyreplace: olcTLSCACertificateFileolcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt-replace: olcTLSCertificateKeyFileolcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key-replace: olcTLSCertificateFileolcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

ldapsearch -x -b "dc=cluster,dc=br" -ZZ

# extended LDIF## LDAPv3# base <dc=cluster,dc=br> with scope subtree# filter: (objectclass=*)# requesting: ALL## cluster.brdn: dc=cluster,dc=brobjectClass: topobjectClass: dcObjectobjectClass: organizationo:: SFBDIFRyZWluYW1lbnRvcyA=dc: cluster# Manager, cluster.brdn: cn=Manager,dc=cluster,dc=brobjectClass: organizationalRolecn: Managerdescription: OpenLDAP Manager# People, cluster.brdn: ou=People,dc=cluster,dc=brobjectClass: organizationalUnitou: People