# OpenLDAP Fails to Start



## rtwingfield (Jul 11, 2011)

I've added the following directives to slapd.conf,

```
logfile /var/log/slapd.log
loglevel 256
```
but /var/log/slapd.log is not created when "/usr/local/etc/rc.d/slapd start" is run.  The only clues are in /var/log/messages:

```
Jul 11 13:56:21 archaxis slapd[61085]: sql_select option missing
Jul 11 13:56:21 archaxis slapd[61085]: auxpropfunc error no mechanism available
```
I'm assuming that _enough_ of the slapd failed to start that it could not start logging to the the named logfile, i.e., slapd.log.  Regardless, what are the significance of the messages in the /var/log/messages file?

The installation of the openldap-sasl-client-2.4.23 apparently directed the installation of Cyrus SASL 2.1.23_1, and during the associated make, a config options panel allowed the selection of the Berkeley DB or MySQL.  Well, not expecting this (due to my lack of general knowledge) I opted for the MySQL DB because I use it _everywhere_.

The following code from the slapd.conf seems to indicate that the slapd should expect to use the Berkeley DB rather than MySQL.  Also, there are no MySQL _backend_ modules in /usr/local/libexec/openldap

```
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb


#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=archaxis,dc=net"
rootdn          "cn=Manager,dc=archaxis,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq
```

Since posting the above, I have discovered the following by running /usr/local/libexec/slapd -d1 (STDERR and/or debug info output to the console and named log file, too):


```
TLS: could not use certificate `/usr/local/etc/openldap/.certificates/cert.crt'.
TLS: error:02001002:system library:fopen:No such file or directory /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:352
TLS: error:20074002:BIO routines:FILE_CTRL:system lib /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:354
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:470
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
```
Obviously this was a certificate problem.  I still don't understand the messages that were only logged in the /var/log/messages log because they certainly do not allude to any problem with the certificate or the fact that it could not be found; regardless, by pointing the TLSCACertificateFile directive to the correct CACERT file, /usr/local/etc/openldap/.certificates/*ca*cert.crt, the slapd will start and run.


```
RE:  slapd.conf
#TLSCertificateFile   /usr/local/etc/openldap/.certificates/cert.crt   [I]does not like this![/I]
TLSCertificateKeyFile /usr/local/etc/openldap/.certificates/cert.key
TLSCACertificateFile  /usr/local/etc/openldap/.certificates/cacert.crt
```

This document ,  http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html, indicates that the three TLSCertificate* directive should be used, but I've found that as indicated above, the slapd will complain if TLSCertificateFile   /usr/local/etc/openldap/.certificates/cert.crt is used.

. . .so moving on to solving this problem:

```
backend_startup_one: starting "dc=archaxis,dc=net"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/db/openldap-data: (2).
Expect poor performance for suffix "dc=archaxis,dc=net".
bdb_db_open: database "dc=archaxis,dc=net": dbenv_open(/var/db/openldap-data).
slapd starting
```
Regarding the "poor performance" thing, I created the /var/db/openldap-data/DB_CONFIG file  (see man SLAPD-BDB(5)) with the following directives:

```
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
```

I have now observed that /usr/local/libexec/slapd -d1 will start the slapd, but an attempt to start from the /etc/rc.d, e.g., /usr/local/etc/rc.d/slapd start will fail, and again the only diagnostics are in /var/log/messages, i.e., 

```
Jul 11 22:26:10 archaxis slapd[63909]: sql_select option missing
Jul 11 22:26:10 archaxis slapd[63909]: auxpropfunc error no mechanism available
```

I'm totally puzzled by this one  . . .probably not seeing the _forest for the trees_.   Again, all suggestions are much appreciated!


----------



## SirDice (Jul 12, 2011)

rtwingfield said:
			
		

> I've added the following directives to slapd.conf,
> 
> ```
> logfile /var/log/slapd.log
> ...


The ldap user where openldap runs on isn't allowed to write there. Create a log directory /var/log/ldap/ and make sure the ldap user is able to write there. Then log into that directory.


----------



## rtwingfield (Jul 12, 2011)

*LDAP Logs*

If I understand your suggestion:


> The ldap user where openldap runs on isn't allowed to write there. Create a log directory /var/log/ldap/ and make sure the ldap user is able to write there. Then log into that directory.


. . . I'm already doing that, only I've named it /var/log/slapd.log. The problem is that the only way I can can currently start the slapd is to run # /usr/local/libexec/slapd -d1 from a command line (i.e., fork and wait).  Conversely, the slapd fails to start if the start is attempted by running /usr/local/etc/rc.d/slapd start (i.e., fork a background process . . .the daemon, and return). . .resulting in the following log entries in /var/log/messages:

```
Jul 12 13:21:06 archaxis slapd[72458]: sql_select option missing
Jul 12 13:21:06 archaxis slapd[72458]: auxpropfunc error no mechanism available
```

Can this (probably) be attributed of a permissions problem somewhere?   . . .or a missing PATH directive?


----------



## a931 (Sep 15, 2011)

let me join the author of the theme.
problem at first! start ldap server.
configuration:


```
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema


pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
#moduleload     back_ldbm
moduleload      back_bdb
# moduleload    back_hdb
moduleload      back_ldap

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by anonymous read
        by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=saf-vpn,dc=test,dc=ru"
rootdn          "cn=root,dc=saf-vpn,dc=test,dc=ru"


# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}######################################### 
logfile         /var/log/ldap/slapd.log
loglevel        256

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data

# Indices to maintain
index   objectClass     eq
index   cn      eq
```

start:

```
/usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
```

test config file:
/usr/local/libexec/slapd -Tt

```
bdb_db_open: database "dc=saf-vpn,dc=test,dc=ru": db_open(/var/db/openldap-data/id2entry.bdb) failed: No such file or directory (2).
backend_startup_one (type=bdb, suffix="dc=saf-vpn,dc=test,dc=ru"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
```


tell me how to solve this problem?


----------



## a931 (Sep 15, 2011)

*L*og file is not created.


----------



## Devi1903 (Sep 22, 2011)

You need to manually create the log file and restart syslogd.


```
# touch /var/log/slapd.log
# /etc/rc.d/syslogd restart
```


----------



## wmoreno3 (Jun 6, 2012)

*sql_select option missing, auxpropfunc error no mechanism available*

*M*y server slapd appears to be ready but 
	
	



```
sql_select option missing, auxpropfunc error no mechanism available
```
 messages displays.


```
server# /usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 2614.
Starting slapd.
server#
server# dmesg -a
Jun  6 11:54:48 server slapd[2719]: sql_select option missing
Jun  6 11:54:48 server slapd[2719]: auxpropfunc error no mechanism available
server# /usr/local/libexec/slapd -Tt
config file testing succeeded
server#
server# /usr/local/etc/rc.d/slapd status
slapd is running as pid 2720.
server#
```
I don't know what happens.


----------

