問題 error
system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev
通過openssl創建證書,並且添加到cn=config數據庫,重啓服務失敗。syslog顯示錯誤
“main: TLS init def ctx failed: -1”
I created cert file by openssl in ubuntu 14.04. so I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def ctx failed: -1” in syslog.
解決方案 solution
It works after following steps:
- check your certfile path whether it is correct. 檢查cn=config配置中證書文件路徑是否存在且正確
- check your file permission. 檢查證書文件權限
chown openldap.openldap /etc/ssl/certs/ldapcert.pem
chown openldap.openldap /etc/ssl/private/ldapkey.pem
chmod -R 0400 /etc/ssl/certs/ldapcert.pem
chmod -R 0400 /etc/ssl/private/ldapkey.pem
Example 示例:
-rw-r–r– 1 root root 1383 Dec 1 09:47 /etc/ssl/certs/cacert.pem
-r——– 1 openldap openldap 3808 Dec 1 09:48 /etc/ssl/certs/ldapcert.pem
-r——– 1 openldap openldap 891 Dec 1 09:47 /etc/ssl/private/ldapkey.pem - Whether install libssl-dev/ssl-cert, especially ssl-cert. 是否安裝了libssl-dev/ssl-cert
- Whether add user openldap to group ssl-cert. 是否添加openldap至ssl-cert用戶組
adduser openldap ssl-cert - Whether certfile is correct. 驗證證書是否正確
openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/ldapcert.pem - Check apparmor. With the 1st step, if your cert file not under path /etc/ssl/… your should add your cert file path to /etc/apparmor.d/usr.sbin.slapd, then reload the apparmor service like this :
/etc/init.d/apparmor reload
檢查apparmor,配合第一條,如果不在/etc/ssl/..需要配置/etc/apparmor.d/usr.sbin.slapd,並且重啓apparmor服務
If you have any other question, please feel free to concat to me [email protected]
ps:
I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.
ref:
http://readthefuckingmanual.net/error/1257/
