problem error
system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev
creates the certificate through openssl and adds it to the cn=config database. Restart the service failed. Syslog error
“main: TLS init def CTX failed: -1”
I created cert file by openssl in ubuntu 14.04. So I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def CTX failed: -1 “in syslog.
solution
It works after following steps:
- check your certfile path whether it is correct. Check whether the certificate file path in the cn=config configuration exists and is correct
- check your file permission. Inspection certificate file permissions
chown openldap. Openldap/etc/SSL/certs/ldapcert pem
chown openldap. Openldap/etc/SSL/private/ldapkey pem
chmod -r 0400/etc/SSL/certs/ldapcert. Pem
chmod -r 0400 The/etc/SSL/private/ldapkey. Pem
Example Example:
– rw – r – r – 1 root root 1383 Dec 1 09:47/etc/SSL/certs/cacert pem
– r – 1 the openldap openldap 3808 Dec 1 09:48/etc/SSL/certs/ldapcert pem
– r – 1 the openldap openldap 09:47 891 Dec 1 /etc/ssl/private/ldapkey.pem - Whether install libssl-dev/ssl-cert, especially ssl-cert. Whether libssl-dev/ssl-cert
- Whether add user openldap to group ssl-cert. Adduser openldap ssl-cert adduser openldap ssl-cert
- Whether certfile is correct. Verification certificate is correct
openssl verify - CAfile/etc/SSL/certs/cacert pem/etc/SSL/certs/ldapcert pem- Check apparmor. With the 1 st step, if your cert file is not under the path/etc/SSL /... Your should add your cert file path to/etc/apparmor. D/usr. Sbin. Slapd, then reload the apparmor service like this:
/etc/init. D/apparmor reload
check apparmor, cooperate with the first, if not in the/etc/SSL /.. Need to configure the/etc/apparmor. D/usr. Sbin. Slapd, and restart the apparmor service
If you have any other question, do feel free to concat to me 32634366 @qq.comps:
I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.ref:
http://readthefuckingmanual.net/error/1257/
- Check apparmor. With the 1 st step, if your cert file is not under the path/etc/SSL /... Your should add your cert file path to/etc/apparmor. D/usr. Sbin. Slapd, then reload the apparmor service like this: