If anyone has got ldap working over openssl/TLS on fedora core 2, I'd like to hear from them. Please tell me how you did it!

I've got my ldap server up and running fine. Everything works great unencrypted.

My slapd.conf reads (the FC2 default):

TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

And I've regenerated 'slapd.pem' certificates by running 'make slapd.pem' in /usr/share/ssl/certs, and set CN appropriately.
I've read all the documentation that keeps on saying my openssl certificates must have Common Name (cn) = fully quallified domain name. I've checked this.

Still I always get the following:

# ldapsearch -H ldap://myserver.mydomain -D uid=bryan,ou=people,dc=cole,dc=net -x -W -ZZ
ldap_start_tls: Connect error (91)
additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

N.B. I'm not running any DNS. I understand that openssl tries to resolve the server FQDN before comparing against the certificate. What happens if there's no DNS. Does it use nsswitch? I'm not sure.

What am I missing here? :(

If anyone can at least give me hope that it's _possible_ to get LDAP working with TLS I'd much appreciate it, as I'm beginning to think openssl is broken...

OK, solved my problems. It works. For the benefit of other poors saps who struggle with this, here's how (starting to an otherwise fully functional unencrypted ldap setup):

1) I had a single space in front of each line ' TLSCertificateFile', and ' TLSCertificateKeyFile'. The Fedora ldap startup scripts (/etc/init.d/ldap) check for the presence of lines starting with TLS using
'grep ^TLS $CONFIGFILE'. With spaces, the init-script does not detect these lines and starts ldap without TLS support.

Thus, in slapd.conf, I've got :
...
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
...

No other TLS******* lines are required.

I deleted the default /usr/share/ssl/certs/slapd.pem and ran 'make slapd.pem' to create a new one. During certificate regeneration, I set my Common Name (CN) to my fully-quallified domain name (in this case, the name reported by 'hostname', with a correctly configured /etc/hosts file (I'm not running and DNS, so this apparently isn't a requirement - the 'host' command doesn't work for me).

2) I added the line
...
TLS_CACERT /usr/share/ssl/certs/slapd.pem
...
to /etc/openldap/ldap.conf

This is the client side path to the appropriate certificate file. I cannot get TLS to work without this. I only tested this on the same machine i.e. client=server, so I'm not yet sure if I have to copy this pem-file to all my remote clients.

To test ldap, I used:

ldapsearch -H ldap://myhost.mydomain.com -D uid=myuser,ou=people,dc=mydomain,dc=com -x -W -ZZ -d 256

roger and out...

Looks good to me. Got SASL working yet?