Solved LDAP failed to start at boot whereas starts manually successfully => following the Freebsd handbook step by step

[VladiBG]

Why are you using the old config style? Follow the Handbook instructions and edit your slapd.ldif then remove your current slapd.d directory and import it again.
What is the error when you start it with:
/usr/local/libexec/slapd -u ldap -g ldap -d 1 -F /usr/local/etc/openldap/slapd.d/
ctrl+c

your key file must be readable by ldap user

When you generate the Certificates the Handbook assume that you are inside " cd /usr/local/etc/openldap/private" and the commands are running from there.
openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt
openssl req -days 365 -nodes -new -keyout server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial
openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key

After you modify the slapd.ldif import the configuration under the directory slapd.d

mkdir /usr/local/etc/openldap/slapd.d/
/usr/local/sbin/slapad -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif
chown -R ldap:ldap /usr/local/etc/openldap/slapd.d/
chown -R ldap /usr/local/etc/openldap/private/*

/usr/local/libexec/slapd -u ldap -g ldap -F /usr/local/etc/openldap/slapd.d/
root@bsdtest:/var/log # sockstat -4 -p 389
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 1965 7 tcp4 *:389 *:*
killall slapd

---
/etc/rc.conf
----

slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"

----
/usr/local/etc/openldap/slapd.ldif
----
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
#olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1
olcTLSVerifyClient: never
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral:   ldap://root.openldap.org
#
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath:  /usr/local/libexec/openldap
#olcModuleload: back_bdb.la
#olcModuleload: back_hdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
olcModuleload: back_mdb.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif
include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif
include: file:///usr/local/etc/openldap/schema/nis.ldif

# Frontend settings
#
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to * by * read
#
# Sample global access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
olcPasswordHash: {SSHA}

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: to * by * none
olcRootPW: {SSHA}<KEY generated via slappasswd>


#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: {SSHA}<KEY generated via slappasswd>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/db/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
----

root@bsdtest:/usr/local/etc/openldap # ls -Rl .
total 52
-rw-r--r--  1 root  wheel  1326 Aug 16 11:19 ca.crt
-rw-r--r--  1 root  wheel    41 Aug 16 11:20 ca.srl
-rw-r--r--  1 root  wheel  1204 Aug 16 11:20 client.crt
-rw-r--r--  1 root  wheel   245 Aug  6 04:15 ldap.conf
-rw-r--r--  1 root  wheel   245 Aug  6 04:15 ldap.conf.sample
drwxr-xr-x  2 root  wheel   512 Aug 16 11:20 private
drwxr-xr-x  2 root  wheel  1536 Aug 16 11:17 schema
-rw-r--r--  1 root  wheel  1204 Aug 16 11:19 server.crt
-rw-------  1 ldap  ldap   2107 Aug  7 19:01 slapd.conf
-rw-------  1 root  wheel  2107 Aug  7 19:01 slapd.conf.sample
drwxr-xr-x  3 ldap  ldap    512 Aug 16 11:30 slapd.d
-rw-------  1 root  wheel  3216 Aug 16 11:29 slapd.ldif
-rw-------  1 root  wheel  2630 Aug  7 19:01 slapd.ldif.sample

./private:
total 20
-rw-------  1 ldap  wheel  1704 Aug 16 11:18 ca.key
-rw-r--r--  1 ldap  wheel   997 Aug 16 11:20 client.csr
-rw-------  1 ldap  wheel  1704 Aug 16 11:19 client.key
-rw-r--r--  1 ldap  wheel   997 Aug 16 11:19 server.csr
-rw-------  1 ldap  wheel  1708 Aug 16 11:19 server.key

./schema:
total 532
-r--r--r--  1 root  wheel   3512 Aug  7 19:01 README
-r--r--r--  1 root  wheel   2036 Aug  7 19:01 collective.ldif
-r--r--r--  1 root  wheel   6190 Aug  7 19:01 collective.schema
-r--r--r--  1 root  wheel   6190 Aug  7 19:01 collective.schema.sample
-r--r--r--  1 root  wheel   1845 Aug  7 19:01 corba.ldif
-r--r--r--  1 root  wheel   8063 Aug  7 19:01 corba.schema
-r--r--r--  1 root  wheel   8063 Aug  7 19:01 corba.schema.sample
-r--r--r--  1 root  wheel  20612 Aug  7 19:01 core.ldif
-r--r--r--  1 root  wheel  20499 Aug  7 19:01 core.schema
-r--r--r--  1 root  wheel  20499 Aug  7 19:01 core.schema.sample
-r--r--r--  1 root  wheel  12006 Aug  7 19:01 cosine.ldif
-r--r--r--  1 root  wheel  73994 Aug  7 19:01 cosine.schema
-r--r--r--  1 root  wheel  73994 Aug  7 19:01 cosine.schema.sample
-r--r--r--  1 root  wheel   4842 Aug  7 19:01 duaconf.ldif
-r--r--r--  1 root  wheel  10388 Aug  7 19:01 duaconf.schema
-r--r--r--  1 root  wheel  10388 Aug  7 19:01 duaconf.schema.sample
-r--r--r--  1 root  wheel   3330 Aug  7 19:01 dyngroup.ldif
-r--r--r--  1 root  wheel   3289 Aug  7 19:01 dyngroup.schema
-r--r--r--  1 root  wheel   3289 Aug  7 19:01 dyngroup.schema.sample
-r--r--r--  1 root  wheel   3481 Aug  7 19:01 inetorgperson.ldif
-r--r--r--  1 root  wheel   6267 Aug  7 19:01 inetorgperson.schema
-r--r--r--  1 root  wheel   6267 Aug  7 19:01 inetorgperson.schema.sample
-r--r--r--  1 root  wheel   2979 Aug  7 19:01 java.ldif
-r--r--r--  1 root  wheel  13901 Aug  7 19:01 java.schema
-r--r--r--  1 root  wheel  13901 Aug  7 19:01 java.schema.sample
-r--r--r--  1 root  wheel   2082 Aug  7 19:01 misc.ldif
-r--r--r--  1 root  wheel   2387 Aug  7 19:01 misc.schema
-r--r--r--  1 root  wheel   2387 Aug  7 19:01 misc.schema.sample
-r--r--r--  1 root  wheel   6809 Aug  7 19:01 nis.ldif
-r--r--r--  1 root  wheel   7640 Aug  7 19:01 nis.schema
-r--r--r--  1 root  wheel   7640 Aug  7 19:01 nis.schema.sample
-r--r--r--  1 root  wheel   3308 Aug  7 19:01 openldap.ldif
-r--r--r--  1 root  wheel   1514 Aug  7 19:01 openldap.schema
-r--r--r--  1 root  wheel   1514 Aug  7 19:01 openldap.schema.sample
-r--r--r--  1 root  wheel   6904 Aug  7 19:01 pmi.ldif
-r--r--r--  1 root  wheel  20467 Aug  7 19:01 pmi.schema
-r--r--r--  1 root  wheel  20467 Aug  7 19:01 pmi.schema.sample
-r--r--r--  1 root  wheel   4570 Aug  7 19:01 ppolicy.ldif
-r--r--r--  1 root  wheel  20489 Aug  7 19:01 ppolicy.schema
-r--r--r--  1 root  wheel  20489 Aug  7 19:01 ppolicy.schema.sample

./slapd.d:
total 8
drwxr-x---  3 ldap  ldap  512 Aug 16 11:30 cn=config
-rw-------  1 ldap  ldap  680 Aug 16 11:30 cn=config.ldif

./slapd.d/cn=config:
total 24
-rw-------  1 ldap  ldap  453 Aug 16 11:30 cn=module{0}.ldif
drwxr-x---  2 ldap  ldap  512 Aug 16 11:30 cn=schema
-rw-------  1 ldap  ldap  378 Aug 16 11:30 cn=schema.ldif
-rw-------  1 ldap  ldap  496 Aug 16 11:30 olcDatabase={-1}frontend.ldif
-rw-------  1 ldap  ldap  584 Aug 16 11:30 olcDatabase={0}config.ldif
-rw-------  1 ldap  ldap  649 Aug 16 11:30 olcDatabase={1}mdb.ldif

./slapd.d/cn=config/cn=schema:
total 40
-rw-------  1 ldap  ldap  15578 Aug 16 11:30 cn={0}core.ldif
-rw-------  1 ldap  ldap  11363 Aug 16 11:30 cn={1}cosine.ldif
-rw-------  1 ldap  ldap   2857 Aug 16 11:30 cn={2}inetorgperson.ldif
-rw-------  1 ldap  ldap   6495 Aug 16 11:30 cn={3}nis.ldif

 

[TrOuBLe]

All is working perfectly!!!

root@test:~ # rm -R /usr/local/etc/openldap/slapd.d/
root@test:~ # mkdir /usr/local/etc/openldap/slapd.d/
root@test:~ # /usr/local/libexec/slapd -u ldap -g ldap -d 1 -F /usr/local/etc/openldap/slapd.d/
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/etc/openldap/ldap.conf
ldap_init: using /usr/local/etc/openldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
5f39085a @(#) $OpenLDAP: slapd 2.4.50 (Aug 7 2020 16:00:53) $
root@121amd64-quarterly-job-01:/wrkdirs/usr/ports/net/openldap24-server/work/openldap-2.4.50/servers/slapd
ldap_pvt_gethostbyname_a: host=test, r=0
5f39085a daemon_init: listen on ldap:///
5f39085a daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
5f39085a daemon: listener initialized ldap:///
5f39085a daemon_init: 2 listeners opened
ldap_create
5f39085a slapd init: initiated server.
5f39085a backend_startup_one: starting "cn=config"
5f39085a ldif_read_file: no entry file "/usr/local/etc/openldap/slapd.d//cn=config.ldif"
5f39085a send_ldap_result: conn=-1 op=0 p=0
5f39085a slapd destroy: freeing system resources.
5f39085a slapd stopped.
5f39085a connections_destroy: nothing to destroy.
root@test:~ #

root@test:~ # cd /usr/local/etc/openldap/private
root@test:/usr/local/etc/openldap/private # openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt
Generating a RSA private key
................................................................................................................................+++++
..............................+++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ca.localhost
Email Address []:
root@test:/usr/local/etc/openldap/private #
root@test:/usr/local/etc/openldap/private # openssl req -days 365 -nodes -new -keyout server.key -out server.csr
Ignoring -days; not generating a certificate
Generating a RSA private key
................................................................+++++
...........+++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:server.localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@test:/usr/local/etc/openldap/private #
root@test:/usr/local/etc/openldap/private # openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = server.localhost
Getting CA Private Key
root@test:/usr/local/etc/openldap/private # openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = key_client
Getting CA Private Key
root@test:/usr/local/etc/openldap/private #

root@test:/usr/local/etc/openldap # /usr/local/sbin/slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB...
root@test:/usr/local/etc/openldap # chown -R ldap:ldap /usr/local/etc/openldap/slapd.d/
root@test:/usr/local/etc/openldap # chown -R ldap /usr/local/etc/openldap/private/*
root@test:/usr/local/etc/openldap # /usr/local/libexec/slapd -u ldap -g ldap -F /usr/local/etc/openldap/slapd.d/
root@test:/usr/local/etc/openldap # sockstat -4 -p 389
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root@test:/usr/local/etc/openldap # killall slapd
root@test:/usr/local/etc/openldap # /usr/local/libexec/slapd -u ldap -g ldap -F /usr/local/etc/openldap/slapd.d/
root@test:/usr/local/etc/openldap # sockstat -4 -p 389 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 26600 7 tcp4 *:389 *:*
root@test:/usr/local/etc/openldap # killall slapd root@test:/usr/local/etc/openldap #

root@test:/usr/local/etc/openldap # service slapd start
Performing sanity check on slap configuration: OK
Starting slapd.
root@test:/usr/local/etc/openldap # sockstat -4 -p 389
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 26654 7 tcp4 *:389 *:*
root@test:/usr/local/etc/openldap #




Well i really appreciate all the efforts invested and time in this thread !!!!

 

[TrOuBLe]

I have discovered where the error is:
there is a mistake in the documentation

first "slapd" instead of "lapd"... it is not important!
the issue is that ldap://0.0.0.0/"' is at a new line whereas it is supposed to be at the previous line.. I run the test with both case and confirming this was the mistake...
I hope someone can fix the documentation to save time for others...

Solved and Closed
Thanks everyone!

 

[scottro]

I'm sorry, my memory is really hazy on it. I just remember googling and finding that that was the answer. There may have been some other steps necessary, and there may even be a better handbook article.

 

[TrOuBLe]

I'm sorry, my memory is really hazy on it. I just remember googling and finding that that was the answer. There may have been some other steps necessary, and there may even be a better handbook article.

no worries at All!!!
your support is always appreciated and valued.
I m guilty too i was supposed to read what i m copying! It was clear the flag arguments were broken...

anyway, it is always a lesson to learn... Freebsd world!

thanks

 

[Jose]

View attachment 8271

Out of curiosity, why do you have a mixture of percent-encoded (%2f) and plain slashes (/) in your Unix domain sockets URL? ("ldapi:..")

 

[TrOuBLe]

Out of curiosity, why do you have a mixture of percent-encoded (%2f) and plain slashes (/) in your Unix domain sockets URL? ("ldapi:..")

this is what s mentioned in the documentation....
It is the first time for me that i install ldap.

 

[VladiBG]

Because it must be encoded in URL address and you can't have unix path with forward slashes in URL address. It's described here:

OpenLDAP Software 2.4 Administrator's Guide: Running slapd

 

[TrOuBLe]

Because it must be encoded in URL address and you can't have unix path with forward slashes in URL address. It's described here:

OpenLDAP Software 2.4 Administrator's Guide: Running slapd

it is working just perfect... even when calling the API for user password reset or adding users it is working perfectly...
ldappasswd -H ldapi://%2fvar%2frun%2fopenldap%2fldapi/ -x -D "cn=mdbadmin,dc=example,dc=com" -W -S uid=testuser,ou=users,dc=example,dc=com

I have no idea about that.. Maybe one of the experts explains that for us..

thanks!

 

[scottro]

Glad you got it working, and congratulations. As the thread originator, you can mark the thread solved, if you wish. (On the first post, go to edit, and underneath Title, it says no prefix. Hit the down arrow and there's an option to mark it solved.)