1978 – LDAP server wont start

Bug 1978 - LDAP server wont start

Summary: LDAP server wont start

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Buchan Milne
QA Contact:

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2011-06-30 23:14 CEST by Andres Kaaber
Modified:	2012-04-30 14:43 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	openldap-servers
CVE:
Status comment:

Attachments
Patch to generate a single bundle for the private key and certificate (457 bytes, text/plain) 2012-02-06 17:55 CET, Mark Meyer	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Andres Kaaber 2011-06-30 23:14:22 CEST

Description of problem:
After installation of ldap server openldap-servers slapd wont start. Log shows error:
Jul  1 00:11:53 kaaber slapd[11451]: @(#) $OpenLDAP: slapd 2.4.25 (Apr 19 2011 22:44:52) $#012#011iurt@jonund.mageia.org:/home/iurt/rpm/BUILD/openldap-2.4.25/servers/slapd
Jul  1 00:11:53 kaaber slapd[11451]: main: TLS init def ctx failed: -1
Jul  1 00:11:53 kaaber slapd[11451]: slapd stopped.
Jul  1 00:11:53 kaaber slapd[11451]: connections_destroy: nothing to destroy.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. urpmi openldap-server
2./etc/init.d/ldap restart - slapd wont start

Comment 1 Marja Van Waes 2011-10-21 22:08:17 CEST

@ Andres

Sorry for responding so late. We are very short on triagers.

We are still on the same version of openldap-servers, so I guess nothing changed, but please tell us if I am wrong


@ Buchan

Do you mind triaging this bug report?

CC: (none) => bgmilne, bgmilne, marja11
Source RPM: (none) => openldap-servers

Comment 2 Andres Kaaber 2011-10-21 22:19:51 CEST

NP, I can try :)
Well package version is 2.4.26 right now iwch is newer. But new problems with systemd I guess. I'm not very much familiar with systemd

Stopping ldap (via systemctl):                                  [  OK   ]
awk: cmd. line:1: warning: regexp component `[:space:]' should probably be `[[:space:]]'
Starting ldap (via systemctl):  Failed to issue method call: Unit ldap.service failed to load: No such file or directory. See system logs and 'systemctl status ldap.service' for details.
                                                                [FAILED]
Generating a 1024 bit RSA private key
.................................++++++
.................................................++++++
writing new private key to '/etc/pki/tls/private/ldap.pem'
-----
[root@kaaber anz]# /etc/init.d/ldap restart
Restarting ldap (via systemctl):  Job failed. See system logs and 'systemctl status' for details.
                                                                   [FAILED]
[root@kaaber log]# /etc/init.d/ldap restart
Restarting ldap (via systemctl):  Job failed. See system logs and 'systemctl status' for details.
                                                                                                         [FAILED]
[root@kaaber log]#

/var/log/ldap/ is empty - no log files

Comment 3 Marja Van Waes 2011-10-21 22:31:57 CEST

@ Andres

Thanks a lot :D
I missed that you are on cauldron, I don't know why I saw "1" there, must  be the end of the week :[

BTW, it was Buchan I asked to triage, he is the openldap maintainer ;)

I haven't been around long enough to know how to handle this bug report

Comment 4 Buchan Milne 2011-10-25 15:44:03 CEST

Jul  1 00:11:53 kaaber slapd[11451]: main: TLS init def ctx failed: -1

This usually indicates that the SSL certificates specified in the configuration cannot be loaded (not present, or not readable by ldap user).

I'm not currently running a current cauldron anywhere, or systemd either ...

I would say a systemd bug/issue (e.g. in ldap.service), package is identical on other platforms and has no problems.

Comment 5 Marja Van Waes 2011-10-25 15:52:14 CEST

(In reply to comment #4)
> Jul  1 00:11:53 kaaber slapd[11451]: main: TLS init def ctx failed: -1
> 
> This usually indicates that the SSL certificates specified in the configuration
> cannot be loaded (not present, or not readable by ldap user).
> 
> I'm not currently running a current cauldron anywhere, or systemd either ...
> 
> I would say a systemd bug/issue (e.g. in ldap.service), package is identical on
> other platforms and has no problems.

@ D.Morgan
Do you mind helping with this?

CC: (none) => dmorganec
Source RPM: openldap-servers => openldap-servers, sytemd

Marja Van Waes 2011-10-25 15:52:53 CEST

Source RPM: openldap-servers, sytemd => openldap-servers, systemd

Comment 6 D Morgan 2011-10-27 21:01:40 CEST

i add it on my todolist for soon.

Manuel Hiebel 2011-10-29 19:28:36 CEST

Blocks: (none) => 2120

Comment 7 Marja Van Waes 2011-12-21 20:17:13 CET

(In reply to comment #6)
> i add it on my todolist for soon.

Cauldron changed a lot since the end of october. Is this bug still valid?

Keywords: (none) => NEEDINFO

Comment 8 D Morgan 2012-01-13 23:55:43 CET

still fails here, i *try* to understand what happens

Marja Van Waes 2012-01-16 07:29:29 CET

Keywords: NEEDINFO => (none)

Comment 9 Marja Van Waes 2012-01-16 07:30:46 CET

(In reply to comment #8)
> still fails here, i *try* to understand what happens

Thanks :)

Is it OK if I assign it to you?

Comment 10 D Morgan 2012-01-31 01:10:08 CET

This is not a systemd but at all but would be nice if someone can migrate it to systemd

Comment 11 Mark Meyer 2012-02-06 17:55:52 CET

Created attachment 1502 [details]
Patch to generate a single bundle for the private key and certificate

Comment 12 Mark Meyer 2012-02-06 17:56:43 CET

This is caused by the fact that openldap expects the private key and the certificate in the same file. The patch above addresses that using the RPM SSL helper.

CC: (none) => ofosos

Manuel Hiebel 2012-02-06 19:33:37 CET

Keywords: (none) => PATCH

Comment 13 Buchan Milne 2012-02-07 09:29:35 CET

s/openldap expects/our openldap configuration specifies/


TLSCertificateFile      /etc/pki/tls/private/ldap.pem
TLSCertificateKeyFile   /etc/pki/tls/private/ldap.pem
TLSCACertificateFile    /etc/pki/tls/private/ldap.pem

Which implies there is a different possible fix as well.

The patch here doesn't seem to address fixing the configuration on upgrades.

Would have been nice if whoever switched to using the helper tested sufficiently.

Comment 14 Buchan Milne 2012-02-07 15:29:50 CET

I have committed a fix (r205953) changing the paths in the default config file, and updating the other method of creating a cert (gencert.sh) to have the same behaviour.

This is the better fix (not exposing the server key in a file that needs to be world-readable to be of any value, and not providing bad security practice examples).

I have some other small fixes I would like to ship as well, but I hope to push a new package today or tomorrow.

Status: NEW => ASSIGNED

Marja Van Waes 2012-02-07 16:15:08 CET

Assignee: bugsquad => bgmilne

D Morgan 2012-02-11 03:30:54 CET

Blocks: 2120 => (none)

Comment 15 D Morgan 2012-02-11 03:31:59 CET

@Buchan: btw can you convert openldap to systemd ? you can reuse fedora files i think

D Morgan 2012-02-11 03:32:22 CET

Source RPM: openldap-servers, systemd => openldap-servers

Comment 16 Andres Kaaber 2012-02-14 10:43:22 CET

(In reply to comment #15)
> @Buchan: btw can you convert openldap to systemd ? you can reuse fedora files i
> think

+1

Comment 17 Buchan Milne 2012-04-30 14:43:12 CEST

The package with the changes (r205953) fixing the original issue here was pushed to cauldron on 16 Feb 2012.

Please open separate bugs for conversion to systemd (which I haven't had time for yet).

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.