I've tried about 20 different ways (scripts, by hand, types) of generating keys and certificates for SSL and no matter what I do, or how I configure OpenLDAP, I always get the same SSL error: Mar 10 16:56:13 master slapd[6814]: main: TLS init def ctx failed: -1 and slapd refuses to start. Reproducible: Always Steps to Reproduce: 1. 2. 3. I configure slapd more or less like this: TLSCertificateFile /etc/certificates/server.crt TLSCertificateKeyFile /etc/certificates/server.key and the full error is: Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97 (Address family not supported by protocol) Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97 (Address family not supported by protocol) Mar 10 16:56:13 master slapd[6814]: sql_select option missing Mar 10 16:56:13 master slapd[6814]: auxpropfunc error no mechanism available Mar 10 16:56:13 master slapd[6814]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Mar 10 16:56:13 master slapd[6814]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) Mar 10 16:56:13 master slapd[6814]: bdb_db_init: Initializing BDB database Mar 10 16:56:13 master slapd[6814]: main: TLS init def ctx failed: -1 Mar 10 16:56:13 master slapd[6814]: slapd stopped. Mar 10 16:56:13 master slapd[6814]: connections_destroy: nothing to destroy. And the emerge info: # emerge info Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.10-gentoo-r6 i686) ================================================================= System uname: 2.6.10-gentoo-r6 i686 AMD Sempron(tm) 2400+ Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar 8 2005, 17:24:17)] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.6.3, 1.4_p6, 1.9.4, 1.8.5-r3, 1.7.9-r1 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.4.3-r4, 1.5.10-r4 virtual/os-headers: 2.4.22-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.eliteitminds.com ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ http://www.gigaload.org/gentoo.org/" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 apache2 apm arts authdaemond avi bash-completion berkdb bitmap-fonts bzlib crypt curlcurlwrappers emacs emboss encode ethereal fam font-server foomaticdb fortran ftp gd gdbm gif gnome imagemagick imap imlib inifile innodb ipv6 jabber jpeg ldap libg++ libwww mad mbox mhash mikmod mime mng motif mp3 mpeg mysql mysqli ncurses nls ogg oggvorbis opengl oss pam pcre pdflibperl php png posix python quicktime readline sasl sdl session sharedext simplexml spell ssl svg svga tcpd threads tidy tiff truetype truetype-fonts type1-fonts unicode vda vhosts wmf xml xml2 xmlrpc xsl xv zlib" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY
Hi Pupeno, This error is a SASL error, not an SSL error. I don't use SASL myself (just plain SSL). The error: Mar 10 16:56:13 master slapd[6814]: sql_select option missing Mar 10 16:56:13 master slapd[6814]: auxpropfunc error no mechanism available Mar 10 16:56:13 master slapd[6814]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Suggests to me that your SASL is misconfigured/broken, as it appears to doing something with SQL.
Yes, there are SASL errors, but I ignored them since I'm not trying to use SASL. There's no SASL-related configuration on openldap and the rest of the SASL-configuration is the default one shipped with Gentoo. I'm not running saslauthd either. What might be causing the error then ?
Note, while this is the error that I get in a TLS/SSL failed start up: Mar 13 14:04:24 master slapd[8935]: sql_select option missing Mar 13 14:04:24 master slapd[8935]: auxpropfunc error no mechanism available Mar 13 14:04:24 master slapd[8935]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Mar 13 14:04:24 master slapd[8935]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Mar 13 14:04:24 master slapd[8935]: bdb_db_init: Initializing BDB database Mar 13 14:04:24 master slapd[8935]: main: TLS init def ctx failed: -1 Mar 13 14:04:24 master slapd[8935]: slapd stopped. Mar 13 14:04:24 master slapd[8935]: connections_destroy: nothing to destroy. this is what I got in a non-SSL/TLS sucesful start up: Mar 13 14:02:11 master slapd[8851]: sql_select option missing Mar 13 14:02:11 master slapd[8851]: auxpropfunc error no mechanism available Mar 13 14:02:11 master slapd[8851]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Mar 13 14:02:11 master slapd[8851]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Mar 13 14:02:11 master slapd[8851]: bdb_db_init: Initializing BDB database Mar 13 14:02:11 master slapd[8852]: slapd starting I've touched the configurations as little as possible. This is happening with the out-of-the-box Gentoo configuration.
Firstly, go and compile openldap with USE=-sasl (via /etc/portage/package.use) then run '/usr/lib/openldap/slapd -u ldap -g ldap -d 65535' to get a more detailed error log, and attach that here.
I've run slapd with your command, and I've analized the output. It said it didn't have access to the file. I've checked and re-checked, I was sure it was ok, but, I was missing execute privileges in the directory where the certificates are. It was my mistake and I'm sorry for all the trouble. Anyway, I'll submit this bug to the OpenLDAP devs, showing this error line: TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:278 would have been much better than showing this error line: main: TLS init def ctx failed: -1 Thank you. I think you can now close this bug report.
Thanks, marking as invalid since it isn't a bug in openldap (beyond the useless error message).