Error added: 2007-10-10T15:46:28Z
I used strace slapd, and it keep complaining about not been able to read the CA certification file ca.crt Tire putting this ca.crt file in various locations, with 777 permissions, even in the root, e.g. /ca.crt it still complains about access denied. I suspect it is a configuration in /etc/aparmor.d/slapd So in the end, to get it running, I simply copied all my ssl files to /etc/ldap/ssl/ and it if finally working now. I guess /etc/apparmor.d/slapd configured /etc/ldap to be a valid location for placing those ssl files, though I don\'t really see it specified there.
Check out the slapd flags, make sure you have ldaps:/// On ubuntu, edit /etc/default/slapd and add ldaps:///
Problem was resolved after installing an ssl-cert package ( Ubuntu 12.04 TLS ) #apt-get install ssl-cert
I had the same thing after trying to get OpenLDAP to use TLS. Using \"strace slapd\" revealed that it couldn\'t read the certificates I had generated. Using \"chgrp openldap\" on private key, public certficiate and CA certificate should fix the problem.
It worked for me after creating the private key and certificate using certtool (instead of openssl) and also using certtool to sign the certificate for LDAP. This is because OpenLDAP has been compiled against gnutls rather than openssl. In addition, I made the mistake of storing the private key (in Ubuntu 9.10) in /etc/ssl/private rather than a directory that the openldap user could read.
On Ubuntu 9.10, put user openldap into group ssl-cert (use vigr *and* vigr -s) and then copy certificates and keys to /etc/ssl/private.
From answer 2, I\'d like to add that slapd (with user openldap) does not follow certificate symlinks.
I followed the following howto: http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html#encryption But I tried to be smart and added a slapd config for cipher suite: TLSCipherSuite HIGH:MEDIUM:+SSLv2 This line prevented slapd from starting. Removing it fixed the problem. This was shown by running slapd with the "-d 2" debug option.
I create cert file by openssl in ubuntu 14.04. so I installed openssl/libssl-cert before, the error show in this environment. It works after following steps: 1. check your certfile path whether it is correct. 检查文件路径,是否存在 2. check your file permission. 检查文件权限 chown openldap.openldap /etc/ssl/certs/ldapcert.pem chown openldap.openldap /etc/ssl/private/ldapkey.pem chmod -R 0400 /etc/ssl/certs/ldapcert.pem chmod -R 0400 /etc/ssl/private/ldapkey.pem Example: 示例: -rw-r--r-- 1 root root 1383 Dec 1 09:47 /etc/ssl/certs/cacert.pem -r-------- 1 openldap openldap 3808 Dec 1 09:48 /etc/ssl/certs/ldapcert.pem -r-------- 1 openldap openldap 891 Dec 1 09:47 /etc/ssl/private/ldapkey.pem 3. Whether install libssl-dev/ssl-cert, especially ssl-cert. 是否安装了libssl-dev/ssl-cert 4. Whether add user openldap to group ssl-cert. 是否添加openldap至ssl-cert用户组 adduser openldap ssl-cert 5. Whether certfile is correct. 检查证书是否正确 openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/ldapcert.pem 6. Check apparmor. With the 1st step, if your cert file not under path /etc/ssl/... your should add your cert file path to /etc/apparmor.d/usr.sbin.slapd, then reload the apparmor service like this : /etc/init.d/apparmor reload 检查apparmor,配合第一条,如果不在/etc/ssl/..需要配置/etc/apparmor.d/usr.sbin.slapd,并且重启apparmor服务 If you have any other question, please feel free to concat to me 32634366@qq.com or refer to blog http://blog.csdn.net/saife/article/details/53455762
The reason for the \"main: TLS init def ctx failed: -1\" problem could also be this: I had only the -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- in my certificate file. After a while of investigation I found out, that OpenLDAP also wanted the text part of certificate. To get to that use the following command: openssl x509 -text -in yourcert.pem -out yourcerttxt.pem
For Mandriva, you need to give TLSCACertificateFile the same treatment, so your final file should look like: TLSCertificateFile /etc/pki/tls/cert/ldap.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem TLSCACertificateFile /etc/pki/tls/certs/ldap.pem See http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/openldap-mandriva-dit/current/SOURCES/mandriva-dit-slapd-template.conf?r1=546844&r2=546843&pathrev=546844
If this is on a mac, I had the exact same problem in my log. I posted my long answer here: http://www.afp548.com/forum/viewtopic.php?showtopic=28808 But in short: Check your certificates, have you deleted some of them?
I used the answer 1 to fix my similar problem and my error changes from -> \"main: TLS init def ctx failed: -1\" to -> \"main: TLS init def ctx failed: -207\"
In the slapd.conf provided in packages for Mandriva 2009.1, 2010 and 2010.1 (I can\'t tell for others distro) TLSCertificateFile is set to /etc/pki/tls/private/ldap.pem. I set it to /etc/pki/tls/certs/ldap.pem and it works.
When you generate and sign the keys, you MUST copy BOTH files (newcert.pem _and_ newkey.pem) to the server 02 using the SAME CA (cacert.pem) from server 01.
If you know the answer, please add your own solution below.
If you don't know, but find out later, please come back and share your answer - there will be other people
struggling with this too.
If you want to be notified via email when this is solved, enter your email address here: