[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?

Howard Chu <hyc@symas.com> writes:
> Ben Wailea, openldap-software wrote:

>> msgs crossed in the mail, but seems to be the case.

>> again, any issues/problems running openldap as ldap:root, or root:root?

>> or is it 'better' to just make copies of the certs, chown the copies to
>> ldap:ldap, and live with multiple instances?

> Personally I would put ldap and apache into a group and make the key
> readable to that specific group.

Debian, for example, handles cert management by creating an ssl-cert group
and making private keys of certs in /etc/ssl/certs readable by that group
by default, so you can then add the system users for any software that
needs to read private SSL keys to the ssl-cert group.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>