[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error when starting Openldap

On Tue, 7 Dec 2004, David Damon wrote:

>                       Platform: IBM Mainframe S/390
>                 OpenLDAP: OpenLDAP2 2.2.6

Thats a really old version ...

>                          DB: BerkeleyDB 4.2.52
>                        Security: Heimdal 0.6.1rc3
>                             SASL: Cyrus-SASL 2.1.18
>                                SSL: OpenSSL 0.9.7d
> Here is the problem:
>         I am trying to use TLS with OpenLDAP. I generated a key and
> certificate ( yes with an FQDN for the certificate request ) and pointed
> the slapd.conf TLS entries to the key and certificate. When I start up
> OpenLDAP it shuts down and I get this error in the logs: main: TLS init
> def ctx failed: -1. I googled for this error an only hit on main: TLS init
> def ctx failed: 0 which is not the error I'm getting. Any ideas out there?
> Thank you in advance.

That error code doesn't tell you a whole lot from my experience. Start
slapd with the '-d -1' option and look for OpenSSL errors in the log. They
can be a little cryptic but might give a hint.  A common mistake is to
forget to configure the location of the certs.

I've found that OpenLDAP is a bit strict about certificates; it might not
like self-signed certs.  We created a fake CA and issue all of our server
certs based off of it, and list the CA cert explicitly.  You may also need
to rip the encryption off.

# TLS configuration
TLSCertificateFile /etc/openldap/currentcert.pem
TLSCertificateKeyFile /etc/openldap/currentkey.pem
TLSCACertificateFile /etc/openldap/demoCA/cacert.pem
TLSVerifyClient never

Our basic cert creation procedure (using the OpenSSL CA tool and an
existing CA):

ksh CA.sh -newreq
opnessl rsa -in newreq.pem -out newkey.pem
ksh CA.sh -sign
copy new*pem to target system (keeping the req around can come in handy

Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org