When trying to initialise Master/Slave it is failing and I am getting the following:
I am unable to complete the system configuration.
Oct 2 08:51:00 kor-srv-pxy webconfig: Redirecting to /bin/systemctl restart slapd.service
Oct 2 08:51:00 kor-srv-pxy systemd: Starting OpenLDAP Server Daemon...
Oct 2 08:51:00 kor-srv-pxy prestart.sh: Configuration directory '/etc/openldap/slapd.d' does not exist.
Oct 2 08:51:00 kor-srv-pxy prestart.sh: Warning: Usage of a configuration file is obsolete!
Oct 2 08:51:00 kor-srv-pxy systemd: slapd.service: control process exited, code=exited status=1
Oct 2 08:51:00 kor-srv-pxy systemd: Failed to start OpenLDAP Server Daemon.
Oct 2 08:51:00 kor-srv-pxy systemd: Unit slapd.service entered failed state.
Oct 2 08:51:00 kor-srv-pxy systemd: slapd.service failed.
Oct 2 08:51:00 kor-srv-pxy webconfig: Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2018-10-02 08:51:00 BST; 43s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 8628 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 8610 ExecStartPre=/usr/libexec/openldap/prestart.sh (code=exited, status=0/SUCCESS)
Oct 02 08:51:00 kor-srv-pxy.avx.com runuser[8614]: pam_unix(runuser:session): session opened for user ldap b...d=0)
Oct 02 08:51:00 kor-srv-pxy.avx.com runuser[8614]: pam_unix(runuser:session): session closed for user ldap
Oct 02 08:51:00 kor-srv-pxy.avx.com slapd[8628]: @(#) $OpenLDAP: slapd 2.4.44 (Jul 4 2018 20:05:05) $
[email protected]:/builddir/build/...lapd
Oct 02 08:51:00 kor-srv-pxy.avx.com slapd[8628]: main: TLS init def ctx failed: -1
Oct 02 08:51:00 kor-srv-pxy.avx.com slapd[8628]: slapd stopped.
Oct 02 08:51:00 kor-srv-pxy.avx.com slapd[8628]: connections_destroy: nothing to destroy.
Oct 02 08:51:00 kor-srv-pxy.avx.com systemd[1]: slapd.service: control process exited, code=exited status=1
Oct 02 08:51:00 kor-srv-pxy.avx.com systemd[1]: Failed to start OpenLDAP Server Daemon.
Oct 02 08:51:00 kor-srv-pxy.avx.com systemd[1]: Unit slapd.service entered failed state.
Oct 02 08:51:00 kor-srv-pxy.avx.com systemd[1]: slapd.service failed.
I am unable to complete the system configuration.
Share this post:
Accepted Answer
Do you mind is we dig further as Clearcenter are trying to find the root cause of the bug. My instructions were bad in the other thread. As you noticed, it should have been:
Anyway, what is the output of:
mkdir /etc/openldap/certs/old
mv /etc/openldap/certs/*.pem /etc/openldap/certs/old
cp /etc/pki/CA/bootstrap.crt /etc/openldap/certs/clearos-ca-cert.pem
cp /etc/pki/CA/bootstrap.crt /etc/openldap/certs/clearos-cert.pem
cp /etc/pki/CA/bootstrap.key /etc/openldap/certs/clearos-key.pem
chgrp ldap /etc/openldap/certs/*.pem
systemctl start slapd.service
Anyway, what is the output of:
openssl x509 -noout -modulus -in /etc/pki/CA/bootstrap.crt| openssl md5
openssl rsa -noout -modulus -in /etc/pki/CA/bootstrap.key| openssl md5
Responses (10)
-
Accepted Answer
-
Accepted Answer
Nick
This is going to be a standalone, we're not going down the Master/Slave route
journalctl -xe
Oct 02 10:30:34 kor-srv-pxy.avx.com systemd[1]: slapd.service: control process exited, code=exited status=1
Oct 02 10:30:34 kor-srv-pxy.avx.com systemd[1]: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit slapd.service has failed.
--
-- The result is failed.
Oct 02 10:30:34 kor-srv-pxy.avx.com systemd[1]: Unit slapd.service entered failed state.
Oct 02 10:30:34 kor-srv-pxy.avx.com systemd[1]: slapd.service failed.
Oct 02 10:30:34 kor-srv-pxy.avx.com servicewatch[15801]: restarting slapd
Oct 02 10:30:37 kor-srv-pxy.avx.com sudo[15960]: clearsync : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/tr
Oct 02 10:30:37 kor-srv-pxy.avx.com events[15962]: openldap_online - event occurred
Oct 02 10:30:37 kor-srv-pxy.avx.com events[15965]: openldap_online - triggered hook: mail
Oct 02 10:30:42 kor-srv-pxy.avx.com events[15968]: openldap_online - triggered hook: samba
Oct 02 10:35:01 kor-srv-pxy.avx.com systemd[1]: Started Session 74 of user root.
-- Subject: Unit session-74.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-74.scope has finished starting up.
--
-- The start-up result is done.
Oct 02 10:35:01 kor-srv-pxy.avx.com systemd[1]: Starting Session 74 of user root.
-- Subject: Unit session-74.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-74.scope has begun starting up.
Oct 02 10:35:01 kor-srv-pxy.avx.com systemd[1]: Started Session 75 of user root.
-- Subject: Unit session-75.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-75.scope has finished starting up.
--
-- The start-up result is done.
Oct 02 10:35:01 kor-srv-pxy.avx.com systemd[1]: Starting Session 75 of user root.
-- Subject: Unit session-75.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-75.scope has begun starting up.
Oct 02 10:35:01 kor-srv-pxy.avx.com CROND[16013]: (root) CMD (LANG=en_US /usr/clearos/apps/base/deploy/servicewatch
Oct 02 10:35:01 kor-srv-pxy.avx.com CROND[16014]: (root) CMD (/usr/sbin/events-notification -i > /dev/null 2>&1)
Oct 02 10:35:01 kor-srv-pxy.avx.com servicewatch[16029]: sanity checking slapd
lines 2175-2221/2221 (END)
Hope the above helps -
Accepted Answer
Please can you try the first fix here? Can you let me know if it works because it is supposed to have been fixed for new installations?
[edit]
That is a jump to the possible solution. If it does not work, try starting ldap manually and post the error:
slapd -h "ldap://127.0.0.1/" -u ldap -f "/etc/openldap/slapd.conf" -d 256
[/edit] -
Accepted Answer
Nick
Thanks for this, the solution didn't work, it failed to copy one file as it didn't exist!
cp: cannot stat ‘/etc/pki/CA/private/bootstrap.key’: No such file or directory
I tried the .key file from /etc/pki, didn't work either
Output of second command:slapd -h "ldap://127.0.0.1/" -u ldap -f "/etc/openldap/slapd.conf" -d 256
5bb34455 @(#) $OpenLDAP: slapd 2.4.44 (Jul 4 2018 20:05:05) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS: could not use key file `/etc/openldap/certs/clearos-key.pem'.
TLS: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch x509_cmp.c:341
5bb34455 main: TLS init def ctx failed: -1
5bb34455 slapd stopped.
5bb34455 connections_destroy: nothing to destroy.
[root@kor-srv-pxy log]#
I'm thinking the install may not have gone cleanly and a rebuild is the order of the day. The system isn't live yet. -
Accepted Answer
-
Accepted Answer
OK, thanks for letting me know. There is a suspicion of a faulty old installation iso which comes with a /etc/openldap/certs/clearos-key.pem preinstalled which is messing things up. The fix should get round it, but either has not been released or does not work as expected. Can I suggest you download another iso otherwise you risk hitting this issue with every installation? -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Weirdly, if you follow, there was an update which fixed things into a broken state. It appears that OpenLDAP seems to have always been broken and would allow you to use mismatched certificates and keys and it should not have done. This was fixed upstream and released as part of the 7.5 update for the Community, and a bit later for Business. Because it now detects the mismatch it refuses to start, which is better behaviour. The devs thing something like a 7.4 iso went out already containing a key. The initialisation script then copied over the bootstrap certificate but not the key because one already existed hence the mismatch. This has now been fixed. The devs want to see your log in case one of the patches has not worked.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »