Hi, When I try to start slapd I get this error message: Checking configuration files for slapd: [WARNING] PROXIED attributeDescription "DC" inserted. config file testing succeeded Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd PROXIED attributeDescription "DC" inserted. bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected; attempting recovery. bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. slapd starting TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap Server,O=Cassens Transport Company,C=US'. ppolicy_bind: Setting warning for password expiry for cn=replication,dc=cassens,dc=com = 0 seconds ^Cdaemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
This server was working last night, I had to promote our secondary ldap server this morning.
I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue?
Thanks, Eric Falbe
Hi,
Does anyone know where the database in the message: TLS: error: the certificate '/etc/pki/tls/certs/ldap. cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication
Is located at and how I might rebuild it?
Also, the only 3 configuration directives I have set for TLS is: olcTLSCertificateFile: /etc/pki/tls/certs/ldap2.cassens.com.pem olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap2.cassens.comKey.pem olcTLSCACertificateFile: /etc/pki/tls/certs/ca.pem
On Wed, Mar 5, 2014 at 3:27 PM, Eric Falbe ericf706@gmail.com wrote:
Hi, When I try to start slapd I get this error message: Checking configuration files for slapd: [WARNING] PROXIED attributeDescription "DC" inserted. config file testing succeeded Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd PROXIED attributeDescription "DC" inserted. bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected; attempting recovery. bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. slapd starting TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap Server,O=Cassens Transport Company,C=US'. ppolicy_bind: Setting warning for password expiry for cn=replication,dc=cassens,dc=com = 0 seconds ^Cdaemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
This server was working last night, I had to promote our secondary ldap server this morning.
I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue?
Thanks, Eric Falbe
On 03/06/14 16:13 -0600, Eric Falbe wrote:
Hi,
Does anyone know where the database in the message: TLS: error: the certificate '/etc/pki/tls/certs/ldap. cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication
This error is likely coming from your ssl library. Search for the error message (-12285 points to an NSS error code).
See slapd-config(5) and its notes underneath olcTLSCACertificatePath, etc, and consult the documentation for NSS.
Is located at and how I might rebuild it?
Also, the only 3 configuration directives I have set for TLS is: olcTLSCertificateFile: /etc/pki/tls/certs/ldap2.cassens.com.pem olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap2.cassens.comKey.pem olcTLSCACertificateFile: /etc/pki/tls/certs/ca.pem
On Wed, Mar 5, 2014 at 3:27 PM, Eric Falbe ericf706@gmail.com wrote:
Hi, When I try to start slapd I get this error message: Checking configuration files for slapd: [WARNING] PROXIED attributeDescription "DC" inserted. config file testing succeeded Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd PROXIED attributeDescription "DC" inserted. bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected; attempting recovery. bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. slapd starting TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap Server,O=Cassens Transport Company,C=US'. ppolicy_bind: Setting warning for password expiry for cn=replication,dc=cassens,dc=com = 0 seconds ^Cdaemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
This server was working last night, I had to promote our secondary ldap server this morning.
I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue?
Thanks, Eric Falbe
On Thu, 6 Mar 2014, Eric Falbe wrote:
Does anyone know where the database in the message: TLS: error: the certificate '/etc/pki/tls/certs/ldap. cassens.com.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication
Is located at and how I might rebuild it?
That error is specific to when openldap is built against Mozilla NSS, so the centos-supplied binary you're using obviously links to that. Did you follow the NSS-specific instructions in the slapd-config(5) manpage? For example: olcTLSCertificateFile: <filename> Specifies the file that contains the slapd server certificate.
When using Mozilla NSS, if using a cert/key database (specified with olcTLSCACertificatePath), olcTLSCertificateFile specifies the name of the certificate to use: olcTLSCertificateFile: Server-Cert If using a token other than the internal built in token, specify the token name first, followed by a colon: olcTLSCertificateFile: my hardware device:Server-Cert Use certutil -L to list the certificates by name: certutil -d /path/to/certdbdir -L
Philip Guenther
On 05.03.2014 22:27, Eric Falbe wrote:
I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue?
Just a guess, but was the openldap rpm just updated? (or the service just restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/show_bug.cgi?id=707599
--- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Yes, the openldap rpm was just updated, but it did not take effect until the slapd deamon was restarted. I have not explicitly tried to use the Mozilla NSS database, I did not use the TLSCADIR(?) attribute and instead used: olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.
I will look into that bug and the documentation you pointed me at.
Thanks Eric Falbe
On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane terjet@funcom.com wrote:
On 05.03.2014 22:27, Eric Falbe wrote:
I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap. cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue?
Just a guess, but was the openldap rpm just updated? (or the service just restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/show_bug.cgi?id=707599
This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Eric Falbe wrote:
Yes, the openldap rpm was just updated, but it did not take effect until the slapd deamon was restarted. I have not explicitly tried to use the Mozilla NSS database, I did not use the TLSCADIR(?) attribute and instead used: olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.
I will look into that bug and the documentation you pointed me at.
For the record, RedHat uses Mozilla NSS, not GnuTLS. But regardless, neither is recommended. Quoting from the bug report linked below:
https://bugzilla.redhat.com/show_bug.cgi?id=707599#c56
"Finally, I have a solution, there were too many bugs which were complicating this:"
The referenced bugs were eventually fixed, but myriad problems remain and MozNSS itself is fundamentally broken by design; or rather, it was designed for single-user web browsers and was never meant to be used as a system library that multi-user services depend on. If you enjoy pounding square pegs into round holes, you can keep trying to use OpenLDAP as built by RedHat, but most sensible people will use something that's actually fit for the purpose.
Thanks Eric Falbe
On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet@funcom.com mailto:terjet@funcom.com> wrote:
On 05.03.2014 22:27, Eric Falbe wrote: I have attempted to rebuild the database backend (with slapcat and slapadd), but am still getting this same error. I have my ssl (self-signed) certificates located in /etc/pki/tls/certs/ldap.__cassens.com.pem /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.__cassens.comKey.pem These certificates worked fine up untill today, does anyone have any insight on where to look to being troubleshooting this issue? Just a guess, but was the openldap rpm just updated? (or the service just restarted for the first time after a previous update). Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS instead of OpenSSL? Try searching in their bug databases. E.g.: https://bugzilla.redhat.com/__show_bug.cgi?id=707599 <https://bugzilla.redhat.com/show_bug.cgi?id=707599> --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
openldap-technical@openldap.org
-
Dan White -
Eric Falbe -
Howard Chu -
Philip Guenther -
Terje Trane