Why are you using the old config style? Follow the Handbook instructions and edit your slapd.ldif then remove your current slapd.d directory and import it again.
What is the error when you start it with:
your key file must be readable by ldap user
When you generate the Certificates the Handbook assume that you are inside "
After you modify the slapd.ldif import the configuration under the directory slapd.d
root@bsdtest:/var/log # sockstat -4 -p 389
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 1965 7 tcp4 *:389 *:*
What is the error when you start it with:
/usr/local/libexec/slapd -u ldap -g ldap -d 1 -F /usr/local/etc/openldap/slapd.d/
ctrl+c
your key file must be readable by ldap user
When you generate the Certificates the Handbook assume that you are inside "
cd /usr/local/etc/openldap/private
" and the commands are running from there. openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt
openssl req -days 365 -nodes -new -keyout server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial
openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key
After you modify the slapd.ldif import the configuration under the directory slapd.d
mkdir /usr/local/etc/openldap/slapd.d/
/usr/local/sbin/slapad -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif
chown -R ldap:ldap /usr/local/etc/openldap/slapd.d/
chown -R ldap /usr/local/etc/openldap/private/*
/usr/local/libexec/slapd -u ldap -g ldap -F /usr/local/etc/openldap/slapd.d/
root@bsdtest:/var/log # sockstat -4 -p 389
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ldap slapd 1965 7 tcp4 *:389 *:*
killall slapd
Code:
---
/etc/rc.conf
----
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
----
/usr/local/etc/openldap/slapd.ldif
----
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
#olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1
olcTLSVerifyClient: never
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/local/libexec/openldap
#olcModuleload: back_bdb.la
#olcModuleload: back_hdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
olcModuleload: back_mdb.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif
include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif
include: file:///usr/local/etc/openldap/schema/nis.ldif
# Frontend settings
#
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to * by * read
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
olcPasswordHash: {SSHA}
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: to * by * none
olcRootPW: {SSHA}<KEY generated via slappasswd>
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: {SSHA}<KEY generated via slappasswd>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/db/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
----
root@bsdtest:/usr/local/etc/openldap # ls -Rl .
total 52
-rw-r--r-- 1 root wheel 1326 Aug 16 11:19 ca.crt
-rw-r--r-- 1 root wheel 41 Aug 16 11:20 ca.srl
-rw-r--r-- 1 root wheel 1204 Aug 16 11:20 client.crt
-rw-r--r-- 1 root wheel 245 Aug 6 04:15 ldap.conf
-rw-r--r-- 1 root wheel 245 Aug 6 04:15 ldap.conf.sample
drwxr-xr-x 2 root wheel 512 Aug 16 11:20 private
drwxr-xr-x 2 root wheel 1536 Aug 16 11:17 schema
-rw-r--r-- 1 root wheel 1204 Aug 16 11:19 server.crt
-rw------- 1 ldap ldap 2107 Aug 7 19:01 slapd.conf
-rw------- 1 root wheel 2107 Aug 7 19:01 slapd.conf.sample
drwxr-xr-x 3 ldap ldap 512 Aug 16 11:30 slapd.d
-rw------- 1 root wheel 3216 Aug 16 11:29 slapd.ldif
-rw------- 1 root wheel 2630 Aug 7 19:01 slapd.ldif.sample
./private:
total 20
-rw------- 1 ldap wheel 1704 Aug 16 11:18 ca.key
-rw-r--r-- 1 ldap wheel 997 Aug 16 11:20 client.csr
-rw------- 1 ldap wheel 1704 Aug 16 11:19 client.key
-rw-r--r-- 1 ldap wheel 997 Aug 16 11:19 server.csr
-rw------- 1 ldap wheel 1708 Aug 16 11:19 server.key
./schema:
total 532
-r--r--r-- 1 root wheel 3512 Aug 7 19:01 README
-r--r--r-- 1 root wheel 2036 Aug 7 19:01 collective.ldif
-r--r--r-- 1 root wheel 6190 Aug 7 19:01 collective.schema
-r--r--r-- 1 root wheel 6190 Aug 7 19:01 collective.schema.sample
-r--r--r-- 1 root wheel 1845 Aug 7 19:01 corba.ldif
-r--r--r-- 1 root wheel 8063 Aug 7 19:01 corba.schema
-r--r--r-- 1 root wheel 8063 Aug 7 19:01 corba.schema.sample
-r--r--r-- 1 root wheel 20612 Aug 7 19:01 core.ldif
-r--r--r-- 1 root wheel 20499 Aug 7 19:01 core.schema
-r--r--r-- 1 root wheel 20499 Aug 7 19:01 core.schema.sample
-r--r--r-- 1 root wheel 12006 Aug 7 19:01 cosine.ldif
-r--r--r-- 1 root wheel 73994 Aug 7 19:01 cosine.schema
-r--r--r-- 1 root wheel 73994 Aug 7 19:01 cosine.schema.sample
-r--r--r-- 1 root wheel 4842 Aug 7 19:01 duaconf.ldif
-r--r--r-- 1 root wheel 10388 Aug 7 19:01 duaconf.schema
-r--r--r-- 1 root wheel 10388 Aug 7 19:01 duaconf.schema.sample
-r--r--r-- 1 root wheel 3330 Aug 7 19:01 dyngroup.ldif
-r--r--r-- 1 root wheel 3289 Aug 7 19:01 dyngroup.schema
-r--r--r-- 1 root wheel 3289 Aug 7 19:01 dyngroup.schema.sample
-r--r--r-- 1 root wheel 3481 Aug 7 19:01 inetorgperson.ldif
-r--r--r-- 1 root wheel 6267 Aug 7 19:01 inetorgperson.schema
-r--r--r-- 1 root wheel 6267 Aug 7 19:01 inetorgperson.schema.sample
-r--r--r-- 1 root wheel 2979 Aug 7 19:01 java.ldif
-r--r--r-- 1 root wheel 13901 Aug 7 19:01 java.schema
-r--r--r-- 1 root wheel 13901 Aug 7 19:01 java.schema.sample
-r--r--r-- 1 root wheel 2082 Aug 7 19:01 misc.ldif
-r--r--r-- 1 root wheel 2387 Aug 7 19:01 misc.schema
-r--r--r-- 1 root wheel 2387 Aug 7 19:01 misc.schema.sample
-r--r--r-- 1 root wheel 6809 Aug 7 19:01 nis.ldif
-r--r--r-- 1 root wheel 7640 Aug 7 19:01 nis.schema
-r--r--r-- 1 root wheel 7640 Aug 7 19:01 nis.schema.sample
-r--r--r-- 1 root wheel 3308 Aug 7 19:01 openldap.ldif
-r--r--r-- 1 root wheel 1514 Aug 7 19:01 openldap.schema
-r--r--r-- 1 root wheel 1514 Aug 7 19:01 openldap.schema.sample
-r--r--r-- 1 root wheel 6904 Aug 7 19:01 pmi.ldif
-r--r--r-- 1 root wheel 20467 Aug 7 19:01 pmi.schema
-r--r--r-- 1 root wheel 20467 Aug 7 19:01 pmi.schema.sample
-r--r--r-- 1 root wheel 4570 Aug 7 19:01 ppolicy.ldif
-r--r--r-- 1 root wheel 20489 Aug 7 19:01 ppolicy.schema
-r--r--r-- 1 root wheel 20489 Aug 7 19:01 ppolicy.schema.sample
./slapd.d:
total 8
drwxr-x--- 3 ldap ldap 512 Aug 16 11:30 cn=config
-rw------- 1 ldap ldap 680 Aug 16 11:30 cn=config.ldif
./slapd.d/cn=config:
total 24
-rw------- 1 ldap ldap 453 Aug 16 11:30 cn=module{0}.ldif
drwxr-x--- 2 ldap ldap 512 Aug 16 11:30 cn=schema
-rw------- 1 ldap ldap 378 Aug 16 11:30 cn=schema.ldif
-rw------- 1 ldap ldap 496 Aug 16 11:30 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 584 Aug 16 11:30 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap 649 Aug 16 11:30 olcDatabase={1}mdb.ldif
./slapd.d/cn=config/cn=schema:
total 40
-rw------- 1 ldap ldap 15578 Aug 16 11:30 cn={0}core.ldif
-rw------- 1 ldap ldap 11363 Aug 16 11:30 cn={1}cosine.ldif
-rw------- 1 ldap ldap 2857 Aug 16 11:30 cn={2}inetorgperson.ldif
-rw------- 1 ldap ldap 6495 Aug 16 11:30 cn={3}nis.ldif