# Strange OpenLDAP Problems

## ryker

I followed this guide for installing OpenLDAP.  When I got toward the end for starting the service, it wouldn't start.  I have found MANY threads about slapd problems; however, none have addressed this issue.

tail /var/log/messages shows:

```
Feb 16 08:43:44 myalbertsrouter slapd[17421]: daemon: socket() failed errno=97 (Address family not supported by protocol)

Feb 16 08:43:44 myalbertsrouter slapd[17421]: daemon: socket() failed errno=97 (Address family not supported by protocol)

Feb 16 08:43:44 myalbertsrouter slapd[17421]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)

Feb 16 08:43:44 myalbertsrouter slapd[17421]: main: TLS init def ctx failed: -1

Feb 16 08:43:44 myalbertsrouter slapd[17421]: slapd stopped.

Feb 16 08:43:44 myalbertsrouter slapd[17421]: connections_destroy: nothing to destroy.
```

So, from the message, it looked like the port was already in use.

ps aux | grep slapd shows:

```
root     17559  0.0  0.2   1444   464 pts/0    S+   08:46   0:00 grep slapd

```

The confusing part is, the pid (17559 in this case) is constantly changing.  So it's like the process keeps getting created and destroyed?  Nothing out of the ordinary is in my log unless I run /ect/init.d/slapd start.

Here's my /etc/openldap/slapd.conf:

```
include     /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Use crypt to hash the passwords

password-hash {crypt}

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

# Further down...

# slapd gentoo init script does'nt make pid correctly

# so we define it here too

pidfile /var/run/openldap/slapd.pid

database        ldbm

suffix          "dc=homelinux,dc=org"

directory       /var/lib/openldap-ldbm

index           objectClass     eq

rootdn          "cn=jamail,dc=homelinux,dc=org"

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile     /var/run/openldap/slapd.pid

argsfile    /var/run/openldap/slapd.args

rootpw {MD5}034VdWzT1rJoHV4vMW/vSA==
```

/etc/openldap/ldap.conf

```
BASE        dc=homelinux, dc=org

URI         ldaps://jamail.homelinux.org:636/

TLS_REQCERT allow
```

/etc/conf.d/slapd:

```
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

and finally, my /etc/ssl/openssl.cnf:

```
HOME            = .

RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:

#oid_file       = $ENV::HOME/.oid

oid_section     = new_oids

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions        =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

####################################################################

[ ca ]

default_ca  = CA_default        # The default ca section

####################################################################

[ CA_default ]

dir     = ./demoCA      # Where everything is kept

certs       = $dir/certs        # Where the issued certs are kept

crl_dir     = $dir/crl      # Where the issued crl are kept

database    = $dir/index.txt    # database index file.

#unique_subject = no            # Set to 'no' to allow creation of

                    # several ctificates with same subject.

new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate

serial      = $dir/serial       # The current serial number

#crlnumber  = $dir/crlnumber    # the current crl number must be

                    # commented out to leave a V1 CRL

crl     = $dir/crl.pem      # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt    = ca_default        # Subject Name options

cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.

# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for

default_crl_days= 30            # how long before next CRL

default_md  = md5           # which md to use.

preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy      = policy_match

# For the CA policy

[ policy_match ]

countryName     = match

stateOrProvinceName = match

organizationName    = match

organizationalUnitName  = optional

commonName      = supplied

emailAddress        = optional

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName     = optional

stateOrProvinceName = optional

localityName        = optional

organizationName    = optional

organizationalUnitName  = optional

commonName      = supplied

emailAddress        = optional

####################################################################

[ req ]

default_bits        = 1024

default_keyfile     = privkey.pem

distinguished_name  = req_distinguished_name

attributes      = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix   : PrintableString, BMPString.

# utf8only: only UTF8Strings.

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings

# so use this option with caution!

string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]

countryName         = US

countryName_default     = US

countryName_min         = 2

countryName_max         = 2

stateOrProvinceName     = Indiana

stateOrProvinceName_default = Indiana

localityName            = Portage

0.organizationName      = Johns Server

0.organizationName_default  = Johns Server

# we can do this but it is not needed normally :-)

#1.organizationName     = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName      = Organizational Unit Name (eg, section)

#organizationalUnitName_default =

commonName          = jamail.homelinux.org

commonName_max          = 64

emailAddress            = alberts@jamail.homelinux.org

emailAddress_max        = 64

# SET-ex3           = SET extension number 3

[ req_attributes ]

challengePassword       = ldapuserpassword

challengePassword_min       = 4

challengePassword_max       = 20

unstructuredName        = Johns Server

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType            = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment           = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign

# Some might want this also

# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always,issuer:always
```

Sorry about the long post.

----------

## cselkirk

 *ryker wrote:*   

> 
> 
> ```
> Feb 16 08:43:44 myalbertsrouter slapd[17421]: main: TLS init def ctx failed: -1
> 
> ...

 

There is a problem with your TLSCertificateFile, or it doesn't exist.

 *ryker wrote:*   

> ps aux | grep slapd shows:
> 
> ```
> root     17559  0.0  0.2   1444   464 pts/0    S+   08:46   0:00 grep slapd
> ```
> ...

 

This is not the pid of slapd but of the grep. In future you can use something like the following to return the processes matching the string, but exclude the grep

```
% ps aux |grep "[s]lapd"
```

HTH

----------

## ryker

 *Quote:*   

> This is not the pid of slapd but of the grep.

   :Embarassed: 

Thanks for the reply.

When I was following the guide, I did seem to have a problem with this part of it:

```
# cd /etc/ssl

 # openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999
```

The guide said I would be prompted to answer questions about the certificate, but I wasn't.  So I manually edited /etc/ssl/openssl.cnf.

I posted my openssl.cnf above.  Does it look ok?  Could this be my problem?

----------

## cselkirk

If you manually edited it .cnf file you still won't have created the ldap.pem. The openssl.cnf is just a configuration file, with the values you changed simply changing the defualt values. The command to create the .pem should have worked (that is you should have been asked a number of questions) and I can't think why it didn't, please make sure you typed the command correctly and try again.

----------

## ryker

The commands I posted above is exactly what I typed in.

```
# cd /etc/ssl

 # openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999
```

Actually, I copy and pasted it so I knew there were no typos.  Is the openssl ... command what you were referring to?  It didn't show any errors.

I just tried it again and still no dice.  I checked to make sure that /etc/openldap/ssl/ldap.pem is there, and there was an old one there already.  I forgot I created one a long time ago for my mail server (on same machine).  I deleted the certificate and ran the openssl ... command again.  It didn't show any errors, but it also didn't create the ldap.pem file.  Shouldn't it have shown some errors at least?

----------

## cselkirk

I would say from the sounds of things your openssl is broken. I'm could make guesses as to why (aggresive CFLAGS perhaps?). You did say you edited the .cnf after first trying to run the command unsucessfully?

----------

## ryker

I don't think I have anything set too aggressively.  Here's the output of emerge info:

```
Portage 2.0.51-r15 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.5-gentoo-r1 i686)

=================================================================

System uname: 2.6.5-gentoo-r1 i686 Pentium III (Katmai)

Gentoo Base System version 1.6.9

Python:              dev-lang/python-2.3.4-r1 [2.3.4 (#2, Feb 10 2005, 00:14:03)]

ccache version 2.3 [enabled]

dev-lang/python:     2.3.4-r1

sys-devel/autoconf:  2.59-r6, 2.13

sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4

sys-devel/binutils:  2.15.92.0.2-r2

sys-devel/libtool:   1.5.10-r4

virtual/os-headers:  2.4.22

ACCEPT_KEYWORDS="x86 ~x86"

AUTOCLEAN="yes"

CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc"

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"

GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://gentoo.chem.wisc.edu/gentoo/ ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="x86 acpi4linux aliaschain apache2 apm berkdb bitmap-fonts clamav cpdflib crypt cups curl curlwrappers dba esd extensions f77 font-server foomaticdb fortran fwdzone gd gdbm gif gpm imagemagick imap ipv6 jpeg ldap libg++ libwww maildir mcal memlimit mime mmx multipleip mysql ncurses nls oav offensive pam pcntl perl php png python qmail readline samba sdl session slang soap spamassassin spell spl sqlite sse ssl svga tcpd tidy tiff tokenizer truetype-fonts type1-fonts vhosts virus-scan vpopmail xml xml2 zlib"

Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS

```

As you can see, my cflags are typical.  Of course, I am using ~x86.

----------

## j-m

http://www.openldap.org/faq/data/cache/652.html  :Idea: 

Regarding the second error - your SSL certificate is incorrect.

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem  :Exclamation: 

TLSCACertificateFile /etc/ssl/ldap.pem

----------

## ryker

 *j-m wrote:*   

> http://www.openldap.org/faq/data/cache/652.html 
> 
> Regarding the second error - your SSL certificate is incorrect.
> 
> TLSCertificateFile /etc/ssl/ldap.pem
> ...

 

The first error probably is an ipv6 error.  Good thing that can be ignored.  But for the second problem, this is directly from the guide I followed from my first post.  Is this incorrect?  I found a program in /etc/ssl/gencert.sh that when I ran, asked me all of the questions and generated an ldap.pem file.  I tried copying that to the 2 directories mentioned above, but it still didn't work.

----------

