Solved OpenLDAP (failed to start) with TLS option

I recently installed OpenLDAP and I can start it with the base configuration after only changing the domain name and root secret.

Then I added these directives to /usr/local/etc/openldap/slapd.conf:

security ssf=128

TLSCertificateFile /path/to/your/cert.crt
TLSCertificateKeyFile /path/to/your/cert.key
TLSCACertificateFile /path/to/your/cert.crt

Now when I try to start slapd(8), I get this error:

root@hyperion:~ # /usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

I figured out that it is specifically the TLSCertificateFile and TLSCACertificateFile. I ensured that I used chmod(1) to change the ownership of those files to the user ldap and their permissions actually allow any user to read (just as a temporary measure).

I don't see slapd(8) logging anywhere either to see a more detailed reason why it wouldn't start.

Oh, and another thing: I initially got a DB error (Unrecognized database type (mdb)) so I uncommented out the moduleload back_mdb line in slapd.conf.

How do I get TLS working on my instance of OpenLDAP?
Last edited by a moderator:
You need to create ssl hashed links to the certs, like this:

ln -s hostname.cert.pem `openssl x509 -hash -noout -in hostname.cert.pem`.0

You might want to set the loglevel way up there to see what's really happening since whatever is returned from the command line is not goinig to be informative enough to troubleshoot.

Also, check out
Datapanic, I don't know why I would need to do that.

I did solve the issue. The certificates were not validating (although I couldn't get logging to work). I was using the same certificate for both the TLSCertificateFile and the TLSCACertificateFile. After I made an actual CA with OpenSSL, everything worked.