1:27 p.m.
Hi,
When I try to start slapd I get this error message:
Checking configuration files for slapd: [WARNING]
PROXIED attributeDescription "DC" inserted.
config file testing succeeded
Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
mockbuild(a)c6b10.bsys.dev.centos.org:
/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
PROXIED attributeDescription "DC" inserted.
bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected;
attempting recovery.
bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting
recovery.
slapd starting
TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' could
not be found in the database - error -12285:Unable to find the certificate
or key necessary for authentication..
TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap
Server,O=Cassens Transport Company,C=US'.
ppolicy_bind: Setting warning for password expiry for
cn=replication,dc=cassens,dc=com = 0 seconds
^Cdaemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.
This server was working last night, I had to promote our secondary ldap
server this morning.
I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error. I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?
Thanks,
Eric Falbe
2:13 p.m.
Hi,
Does anyone know where the database in the message:
TLS: error: the certificate '/etc/pki/tls/certs/ldap.
cassens.com.pem' could not be found in the database - error -12285:Unable
to find the certificate or key necessary for authentication
Is located at and how I might rebuild it?
Also, the only 3 configuration directives I have set for TLS is:
olcTLSCertificateFile: /etc/pki/tls/certs/ldap2.cassens.com.pem
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap2.cassens.comKey.pem
olcTLSCACertificateFile: /etc/pki/tls/certs/ca.pem
On Wed, Mar 5, 2014 at 3:27 PM, Eric Falbe <ericf706(a)gmail.com> wrote:
Hi,
When I try to start slapd I get this error message:
Checking configuration files for slapd: [WARNING]
PROXIED attributeDescription "DC" inserted.
config file testing succeeded
Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
mockbuild(a)c6b10.bsys.dev.centos.org:
/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
PROXIED attributeDescription "DC" inserted.
bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected;
attempting recovery.
bdb_db_open: database "cn=accesslog": unclean shutdown detected;
attempting recovery.
slapd starting
TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap
Server,O=Cassens Transport Company,C=US'.
ppolicy_bind: Setting warning for password expiry for
cn=replication,dc=cassens,dc=com = 0 seconds
^Cdaemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.
This server was working last night, I had to promote our secondary ldap
server this morning.
I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error. I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?
Thanks,
Eric Falbe
2:58 p.m.
On 03/06/14 16:13 -0600, Eric Falbe wrote:
Hi,
Does anyone know where the database in the message:
TLS: error: the certificate '/etc/pki/tls/certs/ldap.
cassens.com.pem' could not be found in the database - error -12285:Unable
to find the certificate or key necessary for authentication
This error is likely coming from your ssl library. Search for the error
message (-12285 points to an NSS error code).
See slapd-config(5) and its notes underneath olcTLSCACertificatePath, etc,
and consult the documentation for NSS.
Is located at and how I might rebuild it?
Also, the only 3 configuration directives I have set for TLS is:
olcTLSCertificateFile: /etc/pki/tls/certs/ldap2.cassens.com.pem
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap2.cassens.comKey.pem
olcTLSCACertificateFile: /etc/pki/tls/certs/ca.pem
On Wed, Mar 5, 2014 at 3:27 PM, Eric Falbe <ericf706(a)gmail.com> wrote:
> Hi,
> When I try to start slapd I get this error message:
> Checking configuration files for slapd: [WARNING]
> PROXIED attributeDescription "DC" inserted.
> config file testing succeeded
> Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
> mockbuild(a)c6b10.bsys.dev.centos.org:
> /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
> PROXIED attributeDescription "DC" inserted.
> bdb_db_open: database "dc=cassens,dc=com": unclean shutdown detected;
> attempting recovery.
> bdb_db_open: database "cn=accesslog": unclean shutdown detected;
> attempting recovery.
> slapd starting
> TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem'
> could not be found in the database - error -12285:Unable to find the
> certificate or key necessary for authentication..
> TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully
> loaded from PEM file.
> TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap
> Server,O=Cassens Transport Company,C=US'.
> ppolicy_bind: Setting warning for password expiry for
> cn=replication,dc=cassens,dc=com = 0 seconds
> ^Cdaemon: shutdown requested and initiated.
> slapd shutdown: waiting for 0 operations/tasks to finish
> slapd stopped.
>
>
> This server was working last night, I had to promote our secondary ldap
> server this morning.
>
> I have attempted to rebuild the database backend (with slapcat and
> slapadd), but am still getting this same error. I have my ssl
> (self-signed) certificates located in
> /etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem
> /etc/pki/tls/private/ldap.cassens.comKey.pem
>
> These certificates worked fine up untill today, does anyone have any
> insight on where to look to being troubleshooting this issue?
>
> Thanks,
> Eric Falbe
>
--
Dan White
3:15 p.m.
On Thu, 6 Mar 2014, Eric Falbe wrote:
Does anyone know where the database in the message:
TLS: error: the certificate '/etc/pki/tls/certs/ldap.
cassens.com.pem' could not be found in the database - error -12285:Unable
to find the certificate or key necessary for authentication
Is located at and how I might rebuild it?
That error is specific to when openldap is built against Mozilla NSS, so
the centos-supplied binary you're using obviously links to that. Did you
follow the NSS-specific instructions in the slapd-config(5) manpage? For
example:
olcTLSCertificateFile: <filename>
Specifies the file that contains the slapd server certificate.
When using Mozilla NSS, if using a cert/key database (specified
with olcTLSCACertificatePath), olcTLSCertificateFile specifies
the name of the certificate to use:
olcTLSCertificateFile: Server-Cert
If using a token other than the internal built in token, specify
the token name first, followed by a colon:
olcTLSCertificateFile: my hardware device:Server-Cert
Use certutil -L to list the certificates by name:
certutil -d /path/to/certdbdir -L
Philip Guenther
3:29 p.m.
On 05.03.2014 22:27, Eric Falbe wrote:
I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error. I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?
Just a guess, but was the openldap rpm just updated? (or the service
just restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using
GnuTLS instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/show_bug.cgi?id=707599
---
This email is free from viruses and malware because avast! Antivirus protection is
active.
http://www.avast.com
5:03 p.m.
Yes, the openldap rpm was just updated, but it did not take effect until
the slapd deamon was restarted. I have not explicitly tried to use the
Mozilla NSS database, I did not use the TLSCADIR(?) attribute and instead
used:
olcTLSCertificateFile , olcTLSCertificateKeyFile, and
olcTLSCACertificateFile.
I will look into that bug and the documentation you pointed me at.
Thanks
Eric Falbe
On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet(a)funcom.com> wrote:
On 05.03.2014 22:27, Eric Falbe wrote:
> I have attempted to rebuild the database backend (with slapcat and
> slapadd), but am still getting this same error. I have my ssl
> (self-signed) certificates located in /etc/pki/tls/certs/ldap.cassens.com.pem
> /etc/pki/tls/tls/certa/ca.pem /etc/pki/tls/private/ldap.
> cassens.comKey.pem
>
> These certificates worked fine up untill today, does anyone have any
> insight on where to look to being troubleshooting this issue?
>
Just a guess, but was the openldap rpm just updated? (or the service just
restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS
instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/show_bug.cgi?id=707599
---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com
5:38 p.m.
Eric Falbe wrote:
Yes, the openldap rpm was just updated, but it did not take effect
until the
slapd deamon was restarted. I have not explicitly tried to use the Mozilla
NSS database, I did not use the TLSCADIR(?) attribute and instead used:
olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.
I will look into that bug and the documentation you pointed me at.
For the record, RedHat uses Mozilla NSS, not GnuTLS. But regardless, neither
is recommended. Quoting from the bug report linked below:
https://bugzilla.redhat.com/show_bug.cgi?id=707599#c56
"Finally, I have a solution, there were too many bugs which were complicating
this:"
The referenced bugs were eventually fixed, but myriad problems remain and
MozNSS itself is fundamentally broken by design; or rather, it was designed
for single-user web browsers and was never meant to be used as a system
library that multi-user services depend on. If you enjoy pounding square pegs
into round holes, you can keep trying to use OpenLDAP as built by RedHat, but
most sensible people will use something that's actually fit for the purpose.
Thanks
Eric Falbe
On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet(a)funcom.com
<mailto:terjet@funcom.com>> wrote:
On 05.03.2014 22:27, Eric Falbe wrote:
I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error. I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.__cassens.com.pem
/etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.__cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?
Just a guess, but was the openldap rpm just updated? (or the service just
restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS
instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/__show_bug.cgi?id=707599
<https://bugzilla.redhat.com/show_bug.cgi?id=707599>
---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3492
days inactive
3494
days old
openldap-technical@openldap.org
6 comments
5 participants
participants (5)
-
Dan White -
Eric Falbe -
Howard Chu -
Philip Guenther -
Terje Trane