OpenLDAP main: TLS init def ctx failed: -1

问题 error

system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev

通过openssl创建证书，并且添加到cn=config数据库，重启服务失败。syslog显示错误
“main: TLS init def ctx failed: -1”

I created cert file by openssl in ubuntu 14.04. so I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def ctx failed: -1” in syslog.

解决方案 solution

It works after following steps:

1. check your certfile path whether it is correct. 检查cn=config配置中证书文件路径是否存在且正确
2. check your file permission. 检查证书文件权限
   chown openldap.openldap /etc/ssl/certs/ldapcert.pem
   chown openldap.openldap /etc/ssl/private/ldapkey.pem
   chmod -R 0400 /etc/ssl/certs/ldapcert.pem
   chmod -R 0400 /etc/ssl/private/ldapkey.pem
   Example 示例:
   -rw-r–r– 1 root root 1383 Dec 1 09:47 /etc/ssl/certs/cacert.pem
   -r——– 1 openldap openldap 3808 Dec 1 09:48 /etc/ssl/certs/ldapcert.pem
   -r——– 1 openldap openldap 891 Dec 1 09:47 /etc/ssl/private/ldapkey.pem
3. Whether install libssl-dev/ssl-cert, especially ssl-cert. 是否安装了libssl-dev/ssl-cert
4. Whether add user openldap to group ssl-cert. 是否添加openldap至ssl-cert用户组
   adduser openldap ssl-cert
5. Whether certfile is correct. 验证证书是否正确
   openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/ldapcert.pem
6. Check apparmor. With the 1st step, if your cert file not under path /etc/ssl/… your should add your cert file path to /etc/apparmor.d/usr.sbin.slapd, then reload the apparmor service like this :
   /etc/init.d/apparmor reload
   检查apparmor，配合第一条，如果不在/etc/ssl/..需要配置/etc/apparmor.d/usr.sbin.slapd，并且重启apparmor服务
   If you have any other question, please feel free to concat to me 32634366@qq.com

ps:
I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.

ref:
http://readthefuckingmanual.net/error/1257/

---