Unable to use SSL or TLS to access OpenDirectory ldap server

I am unable to connect with my openserver system using SSL/TLS connection.

There are no issues communicating without SSL on port 389 and can connect and retrieve directory information without issue.

However, when using port 636 and expecting secure communications the connection fails to connect.

The below openssl connection attempt details the trace which would indicate that no ssl connection is being established.

Example output from openssl attempting to connect

The following image is from ServerAdmin indicating that SSL is enabled and a certificate has been provided for the server connection.

ServerAdmin Configuration

The port 636 is open on the ldap server, and no firewall is between the two hosts.

sauce:Java frank$ netstat -an | grep 636
tcp6       0      0  *.636                  *.*                    LISTEN
tcp4       0      0  *.636                  *.*                    LISTEN

A telnet connection to port 636 on the server succeeds indicating that there are no firewall issues in play.

Can anybody provide any additional items to check to identify and correct the cause of this issue?


The following were the steps I took to resolve this issue:

Reboot the server in safe mode (hold down shift key whilst restarting)

Let it idle for a while (apparently it is cleaning out caches in this mode)

Stop the existing slapd server

 sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist

Set the correct certificate GUID in the file /etc/openldap/slapd_macosxserver.conf. This can be ascertained from the contents of the /etc/certificates directory

sudo sed -e 's/oldguid/newguid/' /etc/openldap/slapd_macosxserver.conf >/tmp/conffile
sudo mv /tmp/conffile /etc/openldap/slapd_macosxserver.conf

Remove the configured TLS certificate values from the file /etc/openldap/slapd.d/cn=config.ldif

sudo vi /etc/openldap/slapd.d/cn=config.ldif
remove any lines beginning with olcTLSCertificate

Start the slapd server again

 sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

Reboot the server again into standard mode.

Then from a client computer with linux or mac osx check that you can connect via SSL and that the certificates are correct using the command

openssl s_client -connect ldap.yourdomain:636 -showcerts

If successful you will get a dump of your server certificates as well as a connection detail description:

No client certificate CA names sent
---
SSL handshake has read 5209 bytes and written 807 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: C8E0F4A4ED24021DB4D98ACF5A9ACDC2293BC3961BF2AE90026115D899369E73
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    ...
    Start Time: 1400140597
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Some other notes:

  1. Apple suggests that you can use self-signed and own certificate chains (http://support.apple.com/kb/ht3745). I use a self signed chain and it is successful.
  2. Port 636 is the standard ldaps port and is the port used by OpenDirectory (slapd)
  3. TLS1 is supported as can be seen from the openssl connection test
  4. Differing DNS names and host names do not matter (I tried both ways with a reboot between)
  5. Differing reverse DNS does not matter (I tried both ways with a reboot between)