[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP cannot start if some TLS cert value gets invalid

Nick Milas wrote:
I found out that if, in a working OpenLDAP installation, we inadvertently
change the value of:

olcTLSCertificateKeyFile: /path/to/key.pem

to some invalid value, like:

olcTLSCertificateKeyFile: /path/to/non/existing/key.pem

then OpenLDAP continues to work (and we see no error message whatsoever), but
if it is stopped, it refuses to restart. In the logs, while OpenLDAP is
starting, we see:

Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1

and then service is immediately stopped.

I believe that in such cases at least OpenLDAP could start without TLS

No! If one configures TLS support OpenLDAP must not start if any parameter has an invalid value. One could think about starting solely with LDAPI support to make back-config accessible.

IMO your operational procedure should mandate that slapd has to be restarted to test if any parameter was changed which affects startup. Or better in your operational concept define a white-list of parameters allowed to be changed via back-config without restart.

This ITS might also be interpreted that back-config should validate whether all the TLS-related files are actually readable. But this is tricky because slapd drops privileges after startup and at least the private key file is likely not be readable by the slapd demon user.

Ciao, Michael.