Hi, When openldap is linked with gnutls for TLS support, a file containing CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile parameter).
The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c) prevents the daemon to start when the option is used: if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ((tls_ctx*) lo->ldo_tls_ctx)->cred, crlfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) goto error_exit; } because gnutls_certificate_set_x509_crl_file() returns the number of CRL files that have been imported which is stored in rc and returned later in the function. Caller expects 0, otherwise it reports an error, the value of rc (below, with 3 CRL in the file) and slapd fails to start: .... main TLS init def ctx failed: 3 The patch below is for 2.4.10, but should apply against all versions (it applies fine against current Debian version available under Unstable). Tell me if you have issues. I recompiled the Debian version with the patch applied and it works as expected. Cheers, a+
Index: openldap-2.4.10/libraries/libldap/tls.c =================================================================== --- openldap-2.4.10.orig/libraries/libldap/tls.c 2008-06-24 16:10:00.128945991 +0200 +++ openldap-2.4.10/libraries/libldap/tls.c 2008-06-24 16:11:46.804929042 +0200 @@ -754,7 +754,10 @@ ((tls_ctx*) lo->ldo_tls_ctx)->cred, crlfile, GNUTLS_X509_FMT_PEM ); - if ( rc < 0 ) goto error_exit; + if ( rc < 0 ) + goto error_exit; + else + rc = 0; } if ( is_server ) { gnutls_dh_params_init (&((tls_ctx*)
pgpKyonLn2Nz8.pgp
Description: PGP signature