Hello everybody,

I got some two serious problems with my LDAP, maybe you got a hint for it.

Problem 1 might have a connection to nr 2, but I´m not sure. I use OpenLDAP 2.4.12 on a SLES11 system. The initscript to start/stop the service called "rcldap" know 3 states: unused, running and dead.

When I startup the LDAP it´s in state running. It takes about 10-15min, the LDAP doesn´t respond anymore and a "rcldap status" tells me that the service is dead. I have no clue why it behaves this way. The logs tell me, that the Backup-System fetches some data and then the log ends without any further notice. The pid file still exists, but the process is gone.

Problem 2 has to do with TLS. I got the CA of our (sub)company, a certificate for the ldap-machine and the associated private key file. The certificate chain is: Deutsche Telekom Root CA -> Company CA -> Subcompany CA -> Certificate of LDAP machine. The certificate for the ldap machine seems to be generated with/by the Company CA.

If I put these files into the slapd config with:

TLSCACertificateFile /etc/openldap/certs/SubcompanyCA.pem TLSCertificateFile /etc/openldap/certs/ldapcert.pem TLSCertificateKeyFile /etc/openldap/certs/ldapprivkey.pem TLSVerifyClient demand

and the following lines in the /etc/ldap.conf:

TLS_CACERT /etc/openldap/certs/SubcompanyCA.pem TLS_REQCERT demand

it crashes at the TLS certificate verification, because he can´t get the local issuer certificate.

If I use the Company CAs in both places instead of the Subcompany CA it´s failing too. If I mix it up with the SubcompanyCA in the slapd.conf and the CompanyCA in the ldap.conf, the certificate verification succeeds, but I get a TLS trace: SSL3 alert read:fatal:handshake failure

I don´t know how to handle that problem.