I've noticed that some of the error messages presented by slapd can be quite ambiguous in nature. For example, if TLSCertificateKeyFile is specified in slapd.conf, yet is not readable by the user slapd runs as, the following error is observed:
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: @(#) $OpenLDAP: slapd 2.3.43 (Feb 5 2010 10:47:47) $ root@host:/usr/obj/usr/ports/net/openldap23-server/work/openldap-2.3.43/servers/slapd 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: main: TLS init def ctx failed: -1 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: slapd stopped. 2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug] slapd[6261]: connections_destroy: nothing to destroy.
For reference, this is on FreeBSD 7.2-RELEASE, base OpenSSL v0.9.8e. Looking briefly at the code, this error message is returned when ldap_pvt_init_def_ctx() fails. I'm not sure which OpenSSL SSL_* function call fails within this function, however I do notice that the only call made to an OpenSSL library's ERR_* function is if the initial SSL_CTX_new() method fails.
Am I looking at this wrong altogether, is it simply a question of my slapd loglevel not being high enough or including TLS errors? It will indeed typically list TLS negotation failures.
Thanks