tag:blogger.com,1999:blog-7617793329353943789.post3745952016595605927..comments2023-11-16T22:30:15.520-08:00Comments on The Truth Imperative: OpenLDAP/OpenSSL stupidityJason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-7617793329353943789.post-20396167344951448222007-09-07T04:45:47.000-07:002007-09-07T04:45:47.000-07:00I know this is from almost two years ago, but I hi...I know this is from almost two years ago, but I hit this on Google so other people will, too. If you build your standard slapd with SASL2 support, then it will look in your SASL2 lib dir (usually /usr/lib/sasl2) for a config file that contains SASL2 config directives. This file often shares the name of the process that's looking for it, and has the .conf extension. In other words.../usr/lib/sasl2/slapd.conf. Making a symbolic link to your /etc/ldap/slap.conf in /usr/lib/sasl2 is a bad idea, since this file contains directives for the SASL2 libraries, and not for slapd, as USlacker said.<br>anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-40285620836359901882005-10-22T11:05:34.000-07:002005-10-22T11:05:34.000-07:00I didn't understand it either. All I could gu...I didn't understand it either. All I could guess was that sasl uses a .conf file for app specific config.<br>More importantly, I found the problem. I had added TLS_CACERT /etc/openldap/cacert.pem<br>to my ldap.conf file (trying to make phpldapadmin use TLS). While strace didn't report it, as soon as I removed it, slapd started.<br>Thanks for the help and the lead<br>uslackernoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-9208649242535251462005-10-22T08:19:59.000-07:002005-10-22T08:19:59.000-07:00USlacker:Not sure why slapd would be trying to ope...USlacker:<br>Not sure why slapd would be trying to open slapd.conf in /usr/lib/sasl2 directory. This file is typically in /etc/openldap or /etc/ldap, depending on your distro.<br>Instead of "touching" the file in that directory, try making a symbolic link to the real slapd.conf file and seeing if that makes a difference. For example:<br>rm /usr/lib/sasl2/slapd.conf<br>ln -s /etc/ldap/slapd.conf /usr/lib/sasl2/slapd.conf<br>And see if openldap starts after that.<br>Have you tried running slapd with the debug flag -d 6 and looking at the output to see what's up?<br>core24http://juxtaposition.axley.netnoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-50241456720685920022005-10-22T07:38:15.000-07:002005-10-22T07:38:15.000-07:00This is the first helpful post on this, but it has...This is the first helpful post on this, but it hasn't helped - yet! I learned to use strace today though and found this error:<br>open("/usr/lib/sasl2/slapd.conf", O_RDONLY) = -1 ENOENT (No such file or directory)<br>Sure enough, the file doesn't exist. So I touched it and the error is gone, but still no slapd<br>USlackernoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-27939433829463989292005-01-25T05:28:01.000-08:002005-01-25T05:28:01.000-08:00Oh thank you so much for this post! It fixed a ve...Oh thank you so much for this post! It fixed a very similar problem for me. I chown ldap:ldap all of my LDAP certificates & it magically worked.<br>Ricknoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-42430924705831643942004-02-12T01:06:27.000-08:002004-02-12T01:06:27.000-08:00Thanks I've just had this after hacking around...Thanks I've just had this after hacking around with openssl.cnf for multile certificate generation with multiple CNs and AltServerNames.<br>Found you on google :)<br>Completely agree that error messages weren't helpful<br>tlsnoreply@blogger.comtag:blogger.com,1999:blog-7617793329353943789.post-67028498306868304452003-10-17T14:19:49.000-07:002003-10-17T14:19:49.000-07:00oh my god,i've been battling with the same pro...oh my god,<br>i've been battling with the same problem for an hour or so now, it finally came down to a permissions problem with my certs, although not exactly the openssl.cnf problem, they certanly dont make the error message intuitive...<br>gbahttp://undef.netnoreply@blogger.com