Make sure slapd can read the certs and private key. In addition to typical
ownership and permissions, the openldap user should belong to the ssl-cert
group and the slapd AppArmor profile must allow access to the directories
containing your certs.
On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty <
asimananda.mohanty(a)gmail.com> wrote:
Hi,
I ran the command "slapd -d 16383" and attached is the output of the same
in case it may prove to be useful.
In this output, ldap-company.com.crt is server.crt as defined in in my
earlier mails. I have changed it to try some luck, but it was fruitless.
-Asimananda
On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty <
asimananda.mohanty(a)gmail.com> wrote:
> Hi Matt,
>
> I created the certificates following the procedure defined in
>
https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html
>
> I created a CA and signed the certificate as defined the steps.
>
> The ownership is of openldap:openldap for cacert.pem and server.crt and
> openldap:ssl-cert for server.key.
>
> rwx permission is 644 for all the three.
>
> Thanks for the reply.
>
> -Asimananda
>
>
> On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara <battery(a)writeme.com>wrote:
>
>> How did you create the certificates? Can slapd read them?
>>
>> On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty <
>> asimananda.mohanty(a)gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I am currently busy configuring OpenLdap on my newly installed Ubuntu
>>> 9.04.
>>>
>>> Here is what I have done till now.
>>>
>>> I followed the steps defined in
>>>
https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and
>>> installation was successful. I installed PhpLdapAdmin also.
>>>
>>> After I created certificate, key etc, I created a .ldif file
>>> (enable-ca.ldif) with the following content :
>>>
>>> *dn: cn=config
>>> add: olcTLSCACertificateFile
>>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>>> -
>>> add: olcTLSCertificateFile
>>> olcTLSCertificateFile: /etc/ssl/certs/server.crt
>>> -
>>> add: olcTLSCertificateKeyFile
>>> olcTLSCertificateKeyFile: /etc/ssl/private/server.key*
>>>
>>> Then I executed the command :
>>>
>>> *ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f
enable-ca.ldif*
>>>
>>> and it was a success.
>>>
>>> But after this, when I tried to restart slapd, I got errors like the
>>> following :
>>>
>>> *main: TLS init def ctx failed: -1*
>>>
>>> I noticed that after I executed "ldapmodify -D
"cn=admin,cn=config" -x
>>> -w 12345678 -f enable-ca.ldif", 3 lines are added to
/etc/ldap/slapd.d/cn=config.ldif
>>> and when I commented the last two lines like the following, slapd started
>>> successfully.
>>>
>>> *olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>>> #olcTLSCertificateFile: /etc/ssl/certs/server.crt
>>> #olcTLSCertificateKeyFile: /etc/ssl/private/server.key*
>>>
>>> This looks quite strange.
>>>
>>> Please help me resolving the same.
>>>
>>> -Asimananda
>>>
>>
>>
>