I'm running a non-production 2.3.27 slapd server on my home network. I had to transfer it to another machine so I copied the conf file & database files to the new machine. Before starting the service I edited the slapd.conf to comment out the TLS entries since I hadn't installed openssl & the cert yet.
When I started slapd, it immediately stopped and I received the dreaded "main: TLS init def ctx failed: -1 " I remembered having this issue when I was trying to get TLS running. So I ran strace (I'm running linux 2.6.x) and finally found this:
open("/etc/ssl/myca/cacert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
I was a bit confused and rechecked to make sure I had indeed commented out all the lines and that slapd was referencing the correct conf file. All was correct.
On a lark, I took a look at ldap.conf which I had copied from my old server as well. It still had TLS_CACERT /etc/ssl/myca/cacert.pem TLS_REQCERT allow
As soon as I commented out those lines, slapd started and stayed running.
Can someone help me understand the relationship between slapd and the ldap.conf file? I thought that was the client conf file.
Thanks!
\Greg
Greg Martin wrote:
I'm running a non-production 2.3.27 slapd server on my home network. I had to transfer it to another machine so I copied the conf file & database files to the new machine. Before starting the service I edited the slapd.conf to comment out the TLS entries since I hadn't installed openssl & the cert yet.
When I started slapd, it immediately stopped and I received the dreaded "main: TLS init def ctx failed: -1 " I remembered having this issue when I was trying to get TLS running. So I ran strace (I'm running linux 2.6.x) and finally found this:
open("/etc/ssl/myca/cacert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
I was a bit confused and rechecked to make sure I had indeed commented out all the lines and that slapd was referencing the correct conf file. All was correct.
On a lark, I took a look at ldap.conf which I had copied from my old server as well. It still had TLS_CACERT /etc/ssl/myca/cacert.pem TLS_REQCERT allow
As soon as I commented out those lines, slapd started and stayed running.
Can someone help me understand the relationship between slapd and the ldap.conf file? I thought that was the client conf file.
Actually, there's been a little bit of confusion about this. ldap.conf(5) is indeed the client configuration file, which is read by default by the libldap client library. However, slapd contains a little bit of client functionality, for example what's used by syncrepl consumer to contact the provider, or the proxy backends back-ldap & back-meta (there might be more I'm not considering right now). The first time any libldap related function call is invoked, the library itself is initialized, and ldap.conf(5) is parsed. This is typically harmless, as none of the defaults in ldap.conf(5) is used, __except__ TLS. If this is not required, you can disable it by setting LDAPNOINIT in the environment. In HEAD (and 2.4) code, also client-related TLS can be specified in slapd.conf(5), so parsing of ldap.conf(5) could be entirely disabled (we'll need to consider that option, at least). Hope this clarifies.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Yes - thanks!
\Greg
Pierangelo Masarati wrote:
Greg Martin wrote:
I'm running a non-production 2.3.27 slapd server on my home network. I had to transfer it to another machine so I copied the conf file & database files to the new machine. Before starting the service I edited the slapd.conf to comment out the TLS entries since I hadn't installed openssl & the cert yet.
<snip> On a lark, I took a look at ldap.conf which I had copied from my old server as well. It still had TLS_CACERT /etc/ssl/myca/cacert.pem TLS_REQCERT allow
Actually, there's been a little bit of confusion about this. ldap.conf(5) is indeed the client configuration file, which is read by default by the libldap client library. However, slapd contains a little bit of client functionality, for example what's used by syncrepl consumer to contact the provider, or the proxy backends back-ldap & back-meta (there might be more I'm not considering right now). The first time any libldap related function call is invoked, the library itself is initialized, and ldap.conf(5) is parsed. This is typically harmless, as none of the defaults in ldap.conf(5) is used, __except__ TLS. If this is not required, you can disable it by setting LDAPNOINIT in the environment. In HEAD (and 2.4) code, also client-related TLS can be specified in slapd.conf(5), so parsing of ldap.conf(5) could be entirely disabled (we'll need to consider that option, at least). Hope this clarifies.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
openldap-software@openldap.org