# OpenLDAP suddenly fails to start



## NuLL3rr0r (Apr 27, 2015)

Hi,

Today one of my LDAP servers stopped working out of the blue and unfortunately it won't start anymore:
`service slapd restart`

```
slapd not running? (check /var/run/openldap/slapd.pid).
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```
And here is the log:

```
Apr 27 14:01:57 core slapd[41063]: main: TLS init def ctx failed: -1
Apr 27 14:01:57 core slapd[41063]: slapd stopped.
Apr 27 14:01:57 core slapd[41063]: connections_destroy: nothing to destroy.
```
The only thing I've done on this server was updating all ports last night. I even checked /usr/ports/UPDATING for anything I should take care of before the update process.

Despite the fact that I enabled loglevel 256 or 0x100 but it won't go verbose. But I realized when I comment the following lines in my /usr/local/etc/openldap/slapd.conf it starts just fine:

```
security ssf=128      # The sever starts still, but should be commented, otherwise cannot authenticate
#TLSCertificateFile /path/to/.crt
#TLSCertificateKeyFile /path/to/.key
#TLSCACertificateFile /path/to/.crt
```

I checked the path and permissions and it was OK. Moreover,  I did rebuild both net/openldap24-server and net/openldap24-client without any lock. By the way these are the options used to build OpenLDAP:

```
[X] BDB
[X] DYNAMIC_BACKENDS
[X] MDB
[X] SYNCPROV
```
And if it helps I do not have OpenSSL from ports installed and just stick the one from base.

I'm going crazy over this. Any ideas folks?


----------



## Crest (Apr 27, 2015)

Start slapd with -d -1 for max. details.


----------



## NuLL3rr0r (Apr 28, 2015)

Crest said:


> Start slapd with -d -1 for max. details.



Thanks, it did the trick.

```
TLS: could not load verify locations (file:`/path/to/.crt',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:169
TLS: error:2006D002:BIO routines:BIO_new_file:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:174
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274
553f49b0 main: TLS init def ctx failed: -1
553f49b0 slapd destroy: freeing system resources.
553f49b0 slapd stopped.
553f49b0 connections_destroy: nothing to destroy.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```

I realized that it was a permission error, now I recall I messed up with the certificate folders and files permissions a few days ago. I thought putting 0400 permission on them is a good idea.

In addition to the +r permission, the folder has to have the +x permission. I had to set the permissions for all users.

```
drwxr-xr-x root  wheel  {FOLDER}
-r--r--r-- root  wheel {CERT_FILES}
```

Since I use one single certificate for all my services, maybe it's better to create a SSL group and add all required users to that group. And then make SSL group the owner.

Thanks again.


----------

