On Sun, 25 Jan 2009, Technical Home wrote:
[given]
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
[we get]
r...@server:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g
openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
bui...@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
main: TLS init def ctx failed: -207
slapd stopped.
connections_destroy: nothing to destroy.
[which is]
ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN
Are you sure that all of these files are readable as group/user
"openldap"?
Make sure that those options really are present/being parsed properly,
perhaps by setting debug level "config" and/or looking for open() with
strace or similar. Actually, a strace on open() would be the appropriate
test for my EPERM theory, too. If they're not....upgrade to the latest
available version. There were some back-config fixes in 2.4.13, for
example.
