Make sure slapd can read the certs and private key.  In addition to typical ownership and permissions, the openldap user should belong to the ssl-cert group and the slapd AppArmor profile must allow access to the directories containing your certs.

On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty <> wrote:

I ran the command "slapd -d 16383" and attached is the output of the same in case it may prove to be useful.

In this output, is server.crt as defined in in my earlier mails. I have changed it to try some luck, but it was fruitless.


On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty <> wrote:
Hi Matt,

I created the certificates following the procedure defined in

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.


On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara <> wrote:
How did you create the certificates?  Can slapd read them?

On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty <> wrote:
Hi All,

I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.

Here is what I have done till now.

I followed the steps defined in and installation was successful. I installed PhpLdapAdmin also.

After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content :

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server.key

Then I executed the command :

ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif

and it was a success.

But after this, when I tried to restart slapd, I got errors like the following :

main: TLS init def ctx failed: -1

I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following,  slapd started successfully.

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
#olcTLSCertificateFile: /etc/ssl/certs/server.crt
#olcTLSCertificateKeyFile: /etc/ssl/private/server.key

This looks quite strange.

Please help me resolving the same.