Hello everybody,
I got some two serious problems with my LDAP, maybe you got a hint for it.
Problem 1 might have a connection to nr 2, but I´m not sure. I use OpenLDAP 2.4.12 on a SLES11 system. The initscript to start/stop the service called "rcldap" know 3 states: unused, running and dead.
When I startup the LDAP it´s in state running. It takes about 10-15min, the LDAP doesn´t respond anymore and a "rcldap status" tells me that the service is dead. I have no clue why it behaves this way. The logs tell me, that the Backup-System fetches some data and then the log ends without any further notice. The pid file still exists, but the process is gone.
Problem 2 has to do with TLS. I got the CA of our (sub)company, a certificate for the ldap-machine and the associated private key file. The certificate chain is: Deutsche Telekom Root CA -> Company CA -> Subcompany CA -> Certificate of LDAP machine. The certificate for the ldap machine seems to be generated with/by the Company CA.
If I put these files into the slapd config with:
TLSCACertificateFile /etc/openldap/certs/SubcompanyCA.pem TLSCertificateFile /etc/openldap/certs/ldapcert.pem TLSCertificateKeyFile /etc/openldap/certs/ldapprivkey.pem TLSVerifyClient demand
and the following lines in the /etc/ldap.conf:
TLS_CACERT /etc/openldap/certs/SubcompanyCA.pem TLS_REQCERT demand
it crashes at the TLS certificate verification, because he can´t get the local issuer certificate.
If I use the Company CAs in both places instead of the Subcompany CA it´s failing too. If I mix it up with the SubcompanyCA in the slapd.conf and the CompanyCA in the ldap.conf, the certificate verification succeeds, but I get a TLS trace: SSL3 alert read:fatal:handshake failure
I don´t know how to handle that problem.