[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP cannot start if some TLS cert value gets invalid

To: openldap-technical <openldap-technical@openldap.org>
Subject: OpenLDAP cannot start if some TLS cert value gets invalid
From: Nick Milas <nick@eurobjects.com>
Date: Sun, 12 Feb 2012 16:24:42 +0200
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20120129 Thunderbird/10.0

Hi,

I found out that if, in a working OpenLDAP installation, weinadvertently change the value of:


   olcTLSCertificateKeyFile: /path/to/key.pem

to some invalid value, like:

   olcTLSCertificateKeyFile: /path/to/non/existing/key.pem

then OpenLDAP continues to work (and we see no error messagewhatsoever), but if it is stopped, it refuses to restart. In the logs,while OpenLDAP is starting, we see:


   Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1

and then service is immediately stopped.

I believe that in such cases at least OpenLDAP could start without TLSsupport, logging the problem and not being unable to restart.

The same should hold true for the other associated attributes(olcTLSCACertificateFile, olcTLSCertificateFile), for which I didn'ttest separately.

A workaround if this happens (because, since OpenLDAP server is notrunning, we cannot easily change the dynamic config) could be to createa symbolic link (/path/to/non/existing/key.pem)to the true file(/path/to/working/key.pem), and thus OpenLDAP can start.


Any comments/advice?

Thanks,
Nick

Follow-Ups:
- Re: OpenLDAP cannot start if some TLS cert value gets invalid
  - From: Michael StrÃder <michael@stroeder.com>

Prev by Date: Re: ldapmodify is crashing the slapd process
Next by Date: Re: OpenLDAP cannot start if some TLS cert value gets invalid
Index(es):
- Chronological
- Thread