OpenLDAP suddenly fails to start

NuLL3rr0r

NuLL3rr0r

Hi,

Today one of my LDAP servers stopped working out of the blue and unfortunately it won't start anymore:
service slapd restart
Code: 
slapd not running? (check /var/run/openldap/slapd.pid).
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
And here is the log:
Code: 
Apr 27 14:01:57 core slapd[41063]: main: TLS init def ctx failed: -1
Apr 27 14:01:57 core slapd[41063]: slapd stopped.
Apr 27 14:01:57 core slapd[41063]: connections_destroy: nothing to destroy.
The only thing I've done on this server was updating all ports last night. I even checked /usr/ports/UPDATING for anything I should take care of before the update process.

Despite the fact that I enabled loglevel 256 or 0x100 but it won't go verbose. But I realized when I comment the following lines in my /usr/local/etc/openldap/slapd.conf it starts just fine:
Code: 
security ssf=128      # The sever starts still, but should be commented, otherwise cannot authenticate
#TLSCertificateFile /path/to/.crt
#TLSCertificateKeyFile /path/to/.key
#TLSCACertificateFile /path/to/.crt

I checked the path and permissions and it was OK. Moreover, I did rebuild both net/openldap24-server and net/openldap24-client without any lock. By the way these are the options used to build OpenLDAP:
Code: 
[X] BDB
[X] DYNAMIC_BACKENDS
[X] MDB
[X] SYNCPROV
And if it helps I do not have OpenSSL from ports installed and just stick the one from base.

I'm going crazy over this. Any ideas folks?
 
Crest said:
Start slapd with -d -1 for max. details.
Click to expand...

Thanks, it did the trick.
Code: 
TLS: could not load verify locations (file:`/path/to/.crt',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:169
TLS: error:2006D002:BIO routines:BIO_new_file:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:174
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274
553f49b0 main: TLS init def ctx failed: -1
553f49b0 slapd destroy: freeing system resources.
553f49b0 slapd stopped.
553f49b0 connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

I realized that it was a permission error, now I recall I messed up with the certificate folders and files permissions a few days ago. I thought putting 0400 permission on them is a good idea.

In addition to the +r permission, the folder has to have the +x permission. I had to set the permissions for all users.
Code: 
drwxr-xr-x root  wheel  {FOLDER}
-r--r--r-- root  wheel {CERT_FILES}

Since I use one single certificate for all my services, maybe it's better to create a SSL group and add all required users to that group. And then make SSL group the owner.

Thanks again.
 
You must log in or register to reply here.
Back
Top