[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: -u and -g not working with slapd

Hash: SHA1

Jim C. wrote:
| Figured it out.
| OK, so:
| [root@enigma openldap]# /usr/sbin/slapd -d 16 -u ldap -g ldap -l LOCAL0
| -s 0 -h "ldap:/// ldaps:/// "
| returns this:
| bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (March 25, 2004)
| TLS: could not load verify locations
| (file:`/etc/ssl/openldap/ldap.pem',dir:`').
| TLS: error:02001002:system library:fopen:No such file or directory
| bss_file.c:104
| TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107
| TLS: error:0B084002:x509 certificate
| routines:X509_load_cert_crl_file:system lib by_file.c:274
| main: TLS init def ctx failed: -1
| slapd stopped.
| connections_destroy: nothing to destroy.
| [root@enigma openldap]#
| ldap.pem, huh? Bad perms/ownership?
| It is showing root.root as owner.  I've changed it to root.ldap and now
| it works fine.... except when /etc/ssl/openldap/ldap.pem does not exist.
| ~ Then we have the same error because the new script does not generate
| /etc/ssl/openldap/ldap.pem dynamically when the file is found to be
| non-existant.  This was the case in previous versions of the
| /etc/init.d/ldap initscript on Mandrake.

I don't think so:

Certs are currently (and have been for a long time) generated in %post
of openldap-servers:

$ rpm -q --scripts openldap-servers |grep -C5 "\.pem"
~                chmod 0600 $i
~                chown ldap:ldap $i
~        fi

# generate the ldap.pem cert here instead of the initscript
if [ ! -e /etc/ssl/openldap/ldap.pem ] ; then
~  if [ -x /usr/share/openldap/gencert.sh ] ; then
~    echo "Generating self-signed certificate..."
~    pushd /etc/ssl/openldap/ > /dev/null
~    yes ""|/usr/share/openldap/gencert.sh >/dev/null 2>&1
~    chmod 640 ldap.pem
~    chown root:ldap ldap.pem
~    popd > /dev/null
~  fi
~  echo "To generate a self-signed certificate, you can use the utility"
~  echo "/usr/share/openldap/gencert.sh..."

We can't do *everything* for the user ... (but a better solution is
required for managing certificates, don't know if we'll have time to
implement for 10.1 though ...).

Either you lost your cert in the upgrade, ora combination of your
slapd.conf and the bad regex that was in the older init script was
saving you from this problem before?


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org