[Date Prev][Date Next] [Chronological] [Thread] [Top]
hang on startup with TLS enabled?

To: openldap-software@OpenLDAP.org
Subject: hang on startup with TLS enabled?
From: Paul Reilly <pareilly@tcd.ie>
Date: Tue, 14 Jan 2003 20:48:08 +0000 (GMT)
My OpenLDAP 2.1.5 server works fine *without* SSL/TLS enabled.
I've followed the SSL/TLS FAQ on enabling SSL/TLS at:

http://www.openldap.org/faq/data/cache/185.html

and have generated a signed server cert using openssl 0.9.6b CA.pl
script (in /usr/local/openssl/). I've added the TLS options
to slapd.conf

TLSCACertificateFile	/local/openldap/etc/openldap/certs/cacert.pem
TLSCertificateKeyFile	/local/openldap/etc/openldap/certs/server-key.pem
TLSCertificateFile	/local/openldap/etc/openldap/certs/server-cert.pem

However when I start up the server it just hangs...

/local/openldap-2.1.5-tcd/libexec/slapd -4 -h "ldap:/// ldaps:///"

It never returns to the shell, and even though the slapd process is
running it hasn't opened the 389 and 636 ports yet. It just hangs there.
The syslog shows:

Jan 14 21:00:43 hermes slapd[30710]: bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001)
Jan 14 21:00:43 hermes slapd[30710]: bdb_db_init: Initializing BDB database

Starting up with debug on I see it parses lots of schema type things and
then hangs....(transcript below).

If I comment out the TLS config lines for slapd.conf it starts perfectly OK

Any ideas?

Paul

------------------ startup transcript ---------------------------------------
[root@hermes]# /local/openldap-2.1.5-tcd/libexec/slapd -4 -d 1 -h "ldap:/// ldaps:///"
@(#) $OpenLDAP: slapd 2.1.5 (Tue Oct  8 23:12:20 IST 2002) $
paul@hermes.tcd.ie:/usr/local/sources/BUILD/openldap-2.1.5/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_open: initialize BDB backend
bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001)
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema,272)=0
<<< dnNormalize: <cn=subschema>
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=tcd,dc=ie>
=> ldap_bv2dn(dc=tcd,dc=ie,0)
<= ldap_bv2dn(dc=tcd,dc=ie,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=tcd,dc=ie,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=tcd,dc=ie,272)=0
<<< dnPrettyNormal: <dc=tcd,dc=ie>, <dc=tcd,dc=ie>
>>> dnPrettyNormal: <cn=admin,dc=tcd,dc=ie>
=> ldap_bv2dn(cn=admin,dc=tcd,dc=ie,0)
<= ldap_bv2dn(cn=admin,dc=tcd,dc=ie,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=tcd,dc=ie,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=tcd,dc=ie,272)=0
<<< dnPrettyNormal: <cn=admin,dc=tcd,dc=ie>, <cn=admin,dc=tcd,dc=ie>
matching_rule_use_init
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( objectClass $ structuralObjectClass $
supportedControl $ supportedExtension $ supportedFeatures $
supportedApplicationContext ) )
    2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ namingContexts $ aliasedObjectName $ distinguishedName
$ member $ owner $ roleOccupant $ seeAlso $ manager $ documentAuthor $
secretary $ associatedName $ dITRedirect ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ description $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
destinationIndicator $ givenName $ initials $ generationQualifier $
dnQualifier $ houseIdentifier $ dmdName $ labeledURI $ uid $
textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation $
personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $
carLicense $ departmentNumber $ displayName $ employeeNumber $
employeeType $ preferredLanguage ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ description $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
destinationIndicator $ givenName $ initials $ generationQualifier $
dnQualifier $ houseIdentifier $ dmdName $ labeledURI $ uid $
textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation $
personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $
carLicense $ departmentNumber $ displayName $ employeeNumber $
employeeType $ preferredLanguage ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME
'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES hasSubordinates )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ mailPreferenceOption $
uidNumber $ gidNumber $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort
$ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES userPassword )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $
pager ) )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29
NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $
mailPreferenceOption $ uidNumber $ gidNumber $ shadowLastChange $
shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $
shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( objectClass
$ structuralObjectClass $ supportedControl $ supportedExtension $
supportedFeatures $ matchingRules $ attributeTypes $ objectClasses $
matchingRuleUse $ ldapSyntaxes $ supportedApplicationContext ) )
    2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $
mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $
nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory
$ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $
ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $
mailLocalAddress $ mailHost $ mailRoutingAddress $ rfc822MailMember ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $
mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $
nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory
$ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $
ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $
mailLocalAddress $ mailHost $ mailRoutingAddress $ rfc822MailMember ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ mailPreferenceOption $ uidNumber $ gidNumber $
shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive
$ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $
oncRpcNumber ) )
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ mailPreferenceOption $ uidNumber $ gidNumber $
shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive
$ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $
oncRpcNumber ) )
Prev by Date: sasl_bind ... Segmentation fault
Next by Date: Re: Solaris 8 and test008-concurrency fails
Index(es):
- Chronological
- Thread