linuxldapcentos7openldaptls1.3

How to overcome main: TLS init def ctx failed: -1 for slapd startup


I am trying to setup a fresh OpenLDAP on my centos7 node\

cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

The node had a half baked OpenLDAP, that I cleaned up using the below commands

systemctl stop slapd
systemctl disable slapd
yum -y remove openldap-servers openldap-clients 
rm -rf /var/lib/ldap
userdel ldap
rm -rf /etc/openldap

Then I have installed the OpenLDAP package again using yum

yum install openldap openldap-servers -y
yum install openldap-clients -y

rpm -qa | grep openldap
openldap-2.4.44-25.el7_9.x86_64
openldap-servers-2.4.44-25.el7_9.x86_64
openldap-devel-2.4.44-25.el7_9.x86_64
openldap-clients-2.4.44-25.el7_9.x86_64

After this; I am trying to start slapd which is failing

systemctl start slapd
Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.

systemctl status -l slapd.service
ā— slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2023-05-14 15:52:24 UTC; 57s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 1037 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 1022 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session closed for user ldap
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $
                                                                                mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: main: TLS init def ctx failed: -1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: slapd stopped.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: connections_destroy: nothing to destroy.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service: control process exited, code=exited status=1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Failed to start OpenLDAP Server Daemon.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Unit slapd.service entered failed state.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service failed.

Here are some suspected TLS related configs

ls -l /etc/openldap/certs/
total 12
-rw-r--r--. 1 ldap ldap 1371 May 14 15:27 myCA.pem
-rw-r--r--. 1 ldap ldap 1379 May 14 15:31 OpenLDAP Server
-rw-r--r--. 1 ldap ldap 1675 May 14 15:30 password

file /etc/openldap/certs/myCA.pem /etc/openldap/certs/OpenLDAP\ Server /etc/openldap/certs/password
/etc/openldap/certs/myCA.pem:        PEM certificate
/etc/openldap/certs/OpenLDAP Server: PEM certificate
/etc/openldap/certs/password:        PEM RSA private key

grep -R olcTLS /etc/openldap/slapd.d
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password

I suspect that either some previously half baked OpenLDAP settings are causing the TLS error main: TLS init def ctx failed: -1; or else olcTLSCACertificatePath: /etc/openldap/certs is not picking /etc/openldap/certs/myCA.pem


Solution

  • I decided to comment below lines using vi and it works but I do not think this is the best way to do this.

    /etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
    /etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
    /etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password