I was following an Ubuntu howto at https://help.ubuntu.com/12.04/serverguide/openldap-server.html ,which has served me well so far, and I was working on the part where TLS is set up.
I made an ldif file like:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/grackle_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/grackle_slapd_key.pem
and, well, I blew it.. I initially had a typo in it, and the server cert and key weren't where I said they were.
I ran ldapmodify to load the ldif file above:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
Then I tried to restart slapd, and perhaps unsurprisingly it did not restart.
Aug 8 16:41:30 grackle slapd[1660]: @(#) $OpenLDAP: slapd (Jul 26 2012 00:10:41) $#012#011buildd@aatxe :/build/buildd/openldap-2.4.28/debian/build/servers/slapd Aug 8 16:41:30 grackle slapd[1660]: main: TLS init def ctx failed: -1 Aug 8 16:41:30 grackle slapd[1660]: slapd stopped. Aug 8 16:41:30 grackle slapd[1660]: connections_destroy: nothing to destroy.
So I thought I just fix my ldif file, which I did, and then run ldapmodify again. But no, that clearly wasn't going to work because slapd wasn't running. Not knowing what else to do, I removed the lines containing "olcTLS" from /etc/ldap/slapd.d/cn=config.ldif. Then I was able to restart slapd (congratulating myself) and then re-ran my ldapmodify command to enter the correct locations of the cert and key. But I still get a checksum error in syslog:
Aug 8 17:04:53 grackle slapd[2028]: slapd starting Aug 8 17:05:01 grackle slapd[2028]: ldif_read_file: checksum error on "/etc/ldap /slapd.d/cn=config.ldif"
I haven't even tried to see if I have TLS working, but I have two questions:
#1. How should I have recovered from this (human) error? What I did didn't seem to work out very well.
and
#2. How do I un-screw my config and resolve the checksum problem?
Thanks in advance for any assistance.