问题 error
system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev
通过openssl创建证书,并且添加到cn=config数据库,重启服务失败。syslog显示错误
“main: TLS init def ctx failed: -1”
I created cert file by openssl in ubuntu 14.04. so I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def ctx failed: -1” in syslog.
解决方案 solution
It works after following steps:
- check your certfile path whether it is correct. 检查cn=config配置中证书文件路径是否存在且正确
- check your file permission. 检查证书文件权限
chown openldap.openldap /etc/ssl/certs/ldapcert.pem
chown openldap.openldap /etc/ssl/private/ldapkey.pem
chmod -R 0400 /etc/ssl/certs/ldapcert.pem
chmod -R 0400 /etc/ssl/private/ldapkey.pem
Example 示例:
-rw-r–r– 1 root root 1383 Dec 1 09:47 /etc/ssl/certs/cacert.pem
-r——– 1 openldap openldap 3808 Dec 1 09:48 /etc/ssl/certs/ldapcert.pem
-r——– 1 openldap openldap 891 Dec 1 09:47 /etc/ssl/private/ldapkey.pem - Whether install libssl-dev/ssl-cert, especially ssl-cert. 是否安装了libssl-dev/ssl-cert
- Whether add user openldap to group ssl-cert. 是否添加openldap至ssl-cert用户组
adduser openldap ssl-cert - Whether certfile is correct. 验证证书是否正确
openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/ldapcert.pem - Check apparmor. With the 1st step, if your cert file not under path /etc/ssl/… your should add your cert file path to /etc/apparmor.d/usr.sbin.slapd, then reload the apparmor service like this :
/etc/init.d/apparmor reload
检查apparmor,配合第一条,如果不在/etc/ssl/..需要配置/etc/apparmor.d/usr.sbin.slapd,并且重启apparmor服务
If you have any other question, please feel free to concat to me [email protected]
ps:
I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.
ref:
http://readthefuckingmanual.net/error/1257/
