I am trying to setup a fresh OpenLDAP on my centos7 node\
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
The node had a half baked OpenLDAP, that I cleaned up using the below commands
systemctl stop slapd
systemctl disable slapd
yum -y remove openldap-servers openldap-clients
rm -rf /var/lib/ldap
userdel ldap
rm -rf /etc/openldap
Then I have installed the OpenLDAP package again using yum
yum install openldap openldap-servers -y
yum install openldap-clients -y
rpm -qa | grep openldap
openldap-2.4.44-25.el7_9.x86_64
openldap-servers-2.4.44-25.el7_9.x86_64
openldap-devel-2.4.44-25.el7_9.x86_64
openldap-clients-2.4.44-25.el7_9.x86_64
After this; I am trying to start slapd which is failing
systemctl start slapd
Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
systemctl status -l slapd.service
ā slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2023-05-14 15:52:24 UTC; 57s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 1037 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 1022 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session closed for user ldap
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: main: TLS init def ctx failed: -1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: slapd stopped.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: connections_destroy: nothing to destroy.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service: control process exited, code=exited status=1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Failed to start OpenLDAP Server Daemon.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Unit slapd.service entered failed state.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service failed.
Here are some suspected TLS related configs
ls -l /etc/openldap/certs/
total 12
-rw-r--r--. 1 ldap ldap 1371 May 14 15:27 myCA.pem
-rw-r--r--. 1 ldap ldap 1379 May 14 15:31 OpenLDAP Server
-rw-r--r--. 1 ldap ldap 1675 May 14 15:30 password
file /etc/openldap/certs/myCA.pem /etc/openldap/certs/OpenLDAP\ Server /etc/openldap/certs/password
/etc/openldap/certs/myCA.pem: PEM certificate
/etc/openldap/certs/OpenLDAP Server: PEM certificate
/etc/openldap/certs/password: PEM RSA private key
grep -R olcTLS /etc/openldap/slapd.d
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password
I suspect that either some previously half baked OpenLDAP settings are causing the TLS error main: TLS init def ctx failed: -1
; or else olcTLSCACertificatePath: /etc/openldap/certs
is not picking /etc/openldap/certs/myCA.pem
I decided to comment below lines using vi and it works but I do not think this is the best way to do this.
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password