On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
[...]
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow
:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
The most common cause for this error message in my experience, is: -Path to certificates or key is wrong -The user slapd runs as cannot access the certificates or keys -The certificates or keys are in the wrong format
So, I would do this to test:
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/newcert.pem'
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/demoCA/newreq.pem'
(replace the user - 'ldap' in this case - with the username your slapd runs as).
However, it's probably not the best idea to configure slapd to find the certs or keys in the demoCA directory (if you sign another cert on that box, you will probably overwrite those files).
(The FAQ entry could also consider recommending to place the SSL key in a different file than the CSR ....)
(It may also be worthwhile adding an FAQ entry on this, with the error message, as googling the error message doesn't turn up and good answers, just bad questions ...)
Regards, Buchan