I've added the following directives to slapd.conf,
but /var/log/slapd.log is not created when "/usr/local/etc/rc.d/slapd start" is run. The only clues are in /var/log/messages:
I'm assuming that enough of the slapd failed to start that it could not start logging to the the named logfile, i.e., slapd.log. Regardless, what are the significance of the messages in the /var/log/messages file?
The installation of the openldap-sasl-client-2.4.23 apparently directed the installation of Cyrus SASL 2.1.23_1, and during the associated make, a config options panel allowed the selection of the Berkeley DB or MySQL. Well, not expecting this (due to my lack of general knowledge) I opted for the MySQL DB because I use it everywhere.
The following code from the slapd.conf seems to indicate that the slapd should expect to use the Berkeley DB rather than MySQL. Also, there are no MySQL backend modules in /usr/local/libexec/openldap
Since posting the above, I have discovered the following by running /usr/local/libexec/slapd -d1 (STDERR and/or debug info output to the console and named log file, too):
Obviously this was a certificate problem. I still don't understand the messages that were only logged in the /var/log/messages log because they certainly do not allude to any problem with the certificate or the fact that it could not be found; regardless, by pointing the TLSCACertificateFile directive to the correct CACERT file, /usr/local/etc/openldap/.certificates/cacert.crt, the slapd will start and run.
This document , http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html, indicates that the three TLSCertificate* directive should be used, but I've found that as indicated above, the slapd will complain if TLSCertificateFile /usr/local/etc/openldap/.certificates/cert.crt is used.
. . .so moving on to solving this problem:
Regarding the "poor performance" thing, I created the /var/db/openldap-data/DB_CONFIG file (see man SLAPD-BDB(5)) with the following directives:
I have now observed that /usr/local/libexec/slapd -d1 will start the slapd, but an attempt to start from the /etc/rc.d, e.g., /usr/local/etc/rc.d/slapd start will fail, and again the only diagnostics are in /var/log/messages, i.e.,
I'm totally puzzled by this one . . .probably not seeing the forest for the trees. Again, all suggestions are much appreciated!
Code:
logfile /var/log/slapd.log
loglevel 256
Code:
Jul 11 13:56:21 archaxis slapd[61085]: sql_select option missing
Jul 11 13:56:21 archaxis slapd[61085]: auxpropfunc error no mechanism available
The installation of the openldap-sasl-client-2.4.23 apparently directed the installation of Cyrus SASL 2.1.23_1, and during the associated make, a config options panel allowed the selection of the Berkeley DB or MySQL. Well, not expecting this (due to my lack of general knowledge) I opted for the MySQL DB because I use it everywhere.
The following code from the slapd.conf seems to indicate that the slapd should expect to use the Berkeley DB rather than MySQL. Also, there are no MySQL backend modules in /usr/local/libexec/openldap
Code:
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=archaxis,dc=net"
rootdn "cn=Manager,dc=archaxis,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
Since posting the above, I have discovered the following by running /usr/local/libexec/slapd -d1 (STDERR and/or debug info output to the console and named log file, too):
Code:
TLS: could not use certificate `/usr/local/etc/openldap/.certificates/cert.crt'.
TLS: error:02001002:system library:fopen:No such file or directory /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:352
TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:354
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:470
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Code:
RE: slapd.conf
#TLSCertificateFile /usr/local/etc/openldap/.certificates/cert.crt [I]does not like this![/I]
TLSCertificateKeyFile /usr/local/etc/openldap/.certificates/cert.key
TLSCACertificateFile /usr/local/etc/openldap/.certificates/cacert.crt
This document , http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html, indicates that the three TLSCertificate* directive should be used, but I've found that as indicated above, the slapd will complain if TLSCertificateFile /usr/local/etc/openldap/.certificates/cert.crt is used.
. . .so moving on to solving this problem:
Code:
backend_startup_one: starting "dc=archaxis,dc=net"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/db/openldap-data: (2).
Expect poor performance for suffix "dc=archaxis,dc=net".
bdb_db_open: database "dc=archaxis,dc=net": dbenv_open(/var/db/openldap-data).
slapd starting
Code:
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
I have now observed that /usr/local/libexec/slapd -d1 will start the slapd, but an attempt to start from the /etc/rc.d, e.g., /usr/local/etc/rc.d/slapd start will fail, and again the only diagnostics are in /var/log/messages, i.e.,
Code:
Jul 11 22:26:10 archaxis slapd[63909]: sql_select option missing
Jul 11 22:26:10 archaxis slapd[63909]: auxpropfunc error no mechanism available
I'm totally puzzled by this one . . .probably not seeing the forest for the trees. Again, all suggestions are much appreciated!