[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/TLS main: TLS init def ctx failed: -207

To: Technical Home <technicalhome@aliceadsl.fr>
Subject: Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Sun, 25 Jan 2009 14:28:45 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <497CA9D1.4080603@aliceadsl.fr>
References: <497CA9D1.4080603@aliceadsl.fr>

On Sun, 25 Jan 2009, Technical Home wrote:
[given]

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem

[we get]

root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.

[which is]

ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN

Are you sure that all of these files are readable as group/user "openldap"?

Make sure that those options really are present/being parsed properly, perhaps by setting debug level "config" and/or looking for open() with strace or similar. Actually, a strace on open() would be the appropriate test for my EPERM theory, too. If they're not....upgrade to the latest available version. There were some back-config fixes in 2.4.13, for example.

References:
- OpenLDAP/TLS main: TLS init def ctx failed: -207
  - From: Technical Home <technicalhome@aliceadsl.fr>

Prev by Date: OpenLDAP/TLS main: TLS init def ctx failed: -207
Next by Date: Re: OpenLDAP/TLS main: TLS init def ctx failed: -207
Index(es):
- Chronological
- Thread