Full_Name: Nikolaos Milas Version: 2.4.28 OS: CentOS 5.7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (94.65.22.12)
If, in a working OpenLDAP installation with dynamic configuration, we inadvertently change the value of:
olcTLSCertificateKeyFile: /path/to/key.pem
to some invalid value, like:
olcTLSCertificateKeyFile: /path/to/non/existing/key.pem
then OpenLDAP Server continues to work (and we see no error message whatsoever), but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is starting, we see:
Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1
and then service is immediately stopped.
OpenLDAP Server should check whether the new parameter value points to an existing file, and, if not, it should refuse to change the attribute value. For a more complete procedure, it could also check whether the indicated file includes a valid certificate, suitable for this parameter, and, again, if not, it should refuse to change the attribute value.
Also, in case it's possible that one of the TLS File parameters gets an invalid value (e.g. through slapadd), then a meaningful message during startup failure would be helpful, e.g.: "olcTLSCertificateKeyFile: File /path/to/key.pem not found or contains invalid certificate."