Hello guys! I tried to deploy openldap replica on Ubuntu 14.04. I copy database via slapcat(slapadd) and slapd.conf from another replica(Centos 6.7 with OpenLDAP: slapd 2.4.40). After all slaptest errors were fixed slapd service run once, but after 5 minutes without any changes it's failed to start again and currently it's still doesn't work. I can't find any ldap log.
May be somebody faced with such kind of the problem. Will be very appreciate for any advices
run both slapd(8) in debugging mode and level stats sync
-Dieter
-- Dieter Kl?nter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
In debug slapd -d -1 output I saw that ldap is trying to load from /etc/ldap/slap.d/ directory although i had put "SLAPD_CONF=/etc/ldap/slapd.conf" to /etc/default/slapd. After I clean up /etc/ldap/slap.d/ directory ldap starting load db and schema, but still can't start with error: " TLS: could not set cipher list HIGH:+TLSv1:+SSLv2:+SSLv3. 56728db6 main: TLS init def ctx failed: -1 56728db6 slapd destroy: freeing system resources. 56728db6 syncinfo_free: rid=115 56728db6 slapd stopped. 56728db6 connections_destroy: nothing to destroy. " When I try "openssl ciphers -v HIGH:+TLSv1:+SSLv2:+SSLv3" it's work fine without any error On 12/16/2015 03:00 PM, openldap-technical-request@openldap.org wrote:
On 12/17/2015 06:02 PM, Andrei Valoshyn wrote:
Hello guys! I tried to deploy openldap replica on Ubuntu 14.04. I copy database via slapcat(slapadd) and slapd.conf from another replica(Centos 6.7 with OpenLDAP: slapd 2.4.40). After all slaptest errors were fixed slapd service run once, but after 5 minutes without any changes it's failed to start again and currently it's still doesn't work. I can't find any ldap log.
May be somebody faced with such kind of the problem. Will be very appreciate for any advices
run both slapd(8) in debugging mode and level stats sync
-Dieter
-- Dieter Kl?nter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
In debug slapd -d -1 output I saw that ldap is trying to load from /etc/ldap/slap.d/ directory although i had put "SLAPD_CONF=/etc/ldap/slapd.conf" to /etc/default/slapd. After I clean up /etc/ldap/slap.d/ directory ldap starting load db and schema, but still can't start with error: " TLS: could not set cipher list HIGH:+TLSv1:+SSLv2:+SSLv3. 56728db6 main: TLS init def ctx failed: -1 56728db6 slapd destroy: freeing system resources. 56728db6 syncinfo_free: rid=115 56728db6 slapd stopped. 56728db6 connections_destroy: nothing to destroy. " When I try "openssl ciphers -v HIGH:+TLSv1:+SSLv2:+SSLv3" it's work fine without any error On 12/16/2015 03:00 PM, openldap-technical-request@openldap.org wrote:
I tried to replace "TLSCipherSuite HIGH:+TLSv1:+SSLv2:+SSLv3" with "TLSCipherSuite NORMAL" as described here https://wiki.debian.org/LDAP/OpenLDAPSetup After that I got 5672d1f5 main: TLS init def ctx failed: -207 5672d1f5 slapd destroy: freeing system resources. 5672d1f5 syncinfo_free: rid=115 5672d1f5 slapd stopped. 5672d1f5 connections_destroy: nothing to destroy.
On Thu, Dec 17, 2015 at 06:02:02PM +0300, Andrei Valoshyn wrote:
In debug slapd -d -1 output I saw that ldap is trying to load from /etc/ldap/slap.d/ directory although i had put "SLAPD_CONF=/etc/ldap/slapd.conf" to /etc/default/slapd. After I clean up /etc/ldap/slap.d/ directory ldap starting load db and schema, but still can't start with error: " TLS: could not set cipher list HIGH:+TLSv1:+SSLv2:+SSLv3. 56728db6 main: TLS init def ctx failed: -1 56728db6 slapd destroy: freeing system resources. 56728db6 syncinfo_free: rid=115 56728db6 slapd stopped. 56728db6 connections_destroy: nothing to destroy. " When I try "openssl ciphers -v HIGH:+TLSv1:+SSLv2:+SSLv3" it's work fine without any error
Which TLS library is your slapd linked against? The cipher strings for OpenSSL are very different, for example, for the priority strings for GnuTLS.
On 12/17/2015 07:14 PM, Ryan Tandy wrote:
On Thu, Dec 17, 2015 at 06:02:02PM +0300, Andrei Valoshyn wrote:
In debug slapd -d -1 output I saw that ldap is trying to load from /etc/ldap/slap.d/ directory although i had put "SLAPD_CONF=/etc/ldap/slapd.conf" to /etc/default/slapd. After I clean up /etc/ldap/slap.d/ directory ldap starting load db and schema, but still can't start with error: " TLS: could not set cipher list HIGH:+TLSv1:+SSLv2:+SSLv3. 56728db6 main: TLS init def ctx failed: -1 56728db6 slapd destroy: freeing system resources. 56728db6 syncinfo_free: rid=115 56728db6 slapd stopped. 56728db6 connections_destroy: nothing to destroy. " When I try "openssl ciphers -v HIGH:+TLSv1:+SSLv2:+SSLv3" it's work fine without any error
Which TLS library is your slapd linked against? The cipher strings for OpenSSL are very different, for example, for the priority strings for GnuTLS.
Issue was fixed. I have incorrect ssl certificates. Thank guys!
Am Thu, 17 Dec 2015 18:02:02 +0300 schrieb Andrei Valoshyn avaloshyn@exadel.com:
Hello guys! I tried to deploy openldap replica on Ubuntu 14.04. I copy database via slapcat(slapadd) and slapd.conf from another replica(Centos 6.7 with OpenLDAP: slapd 2.4.40). After all slaptest errors were fixed slapd service run once, but after 5 minutes without any changes it's failed to start again and currently it's still doesn't work. I can't find any ldap log.
May be somebody faced with such kind of the problem. Will be very appreciate for any advices
run both slapd(8) in debugging mode and level stats sync
-Dieter
-- Dieter Kl?nter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
In debug slapd -d -1 output I saw that ldap is trying to load from /etc/ldap/slap.d/ directory although i had put "SLAPD_CONF=/etc/ldap/slapd.conf" to /etc/default/slapd. After I clean up /etc/ldap/slap.d/ directory ldap starting load db and schema, but still can't start with error: " TLS: could not set cipher list HIGH:+TLSv1:+SSLv2:+SSLv3. 56728db6 main: TLS init def ctx failed: -1 56728db6 slapd destroy: freeing system resources. 56728db6 syncinfo_free: rid=115 56728db6 slapd stopped. 56728db6 connections_destroy: nothing to destroy. " When I try "openssl ciphers -v HIGH:+TLSv1:+SSLv2:+SSLv3" it's work fine without any error On 12/16/2015 03:00 PM, openldap-technical-request@openldap.org wrote:
OpenLDAP has probably been compiled with an other SSL library like GnuTLS or MOZNSS.
-Dieter
openldap-technical@openldap.org
-
Andrei Valoshyn -
Dieter Klünter -
Ryan Tandy