OpenLDAP main: TLS init def ctx failed: -1

problem error

system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev

creates the certificate through openssl and adds it to the cn=config database. Restart the service failed. Syslog error
“main: TLS init def CTX failed: -1”

I created cert file by openssl in ubuntu 14.04. So I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def CTX failed: -1 “in syslog.


It works after following steps:

  1. check your certfile path whether it is correct. Check whether the certificate file path in the cn=config configuration exists and is correct
  2. check your file permission. Inspection certificate file permissions
    chown openldap. Openldap/etc/SSL/certs/ldapcert pem
    chown openldap. Openldap/etc/SSL/private/ldapkey pem
    chmod -r 0400/etc/SSL/certs/ldapcert. Pem
    chmod -r 0400 The/etc/SSL/private/ldapkey. Pem
    Example Example:
    – rw – r – r – 1 root root 1383 Dec 1 09:47/etc/SSL/certs/cacert pem
    – r – 1 the openldap openldap 3808 Dec 1 09:48/etc/SSL/certs/ldapcert pem
    – r – 1 the openldap openldap 09:47 891 Dec 1 /etc/ssl/private/ldapkey.pem
  3. Whether install libssl-dev/ssl-cert, especially ssl-cert. Whether libssl-dev/ssl-cert
  4. Whether add user openldap to group ssl-cert. Adduser openldap ssl-cert adduser openldap ssl-cert
  5. Whether certfile is correct. Verification certificate is correct
    openssl verify - CAfile/etc/SSL/certs/cacert pem/etc/SSL/certs/ldapcert pem
  6. Check apparmor. With the 1 st step, if your cert file is not under the path/etc/SSL /... Your should add your cert file path to/etc/apparmor. D/usr. Sbin. Slapd, then reload the apparmor service like this:
    /etc/init. D/apparmor reload
    check apparmor, cooperate with the first, if not in the/etc/SSL /.. Need to configure the/etc/apparmor. D/usr. Sbin. Slapd, and restart the apparmor service
    If you have any other question, do feel free to concat to me 32634366

    I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.


Read More: