OpenLDAP won't start and won't log why
Solution 1
Here are some ideas for additional debugging. These are only necessary if you're absolutely positive it's not a permission problem...
First, try running slapd in debug mode:
slapd -u ldap -g ldap -d 65
Note that the argument to -d is a bit field, values for which can be found in the slapd.conf
man page (look for loglevel
). 65
is trace + config, which is usually sufficiently verbose for this sort of problem. This may or may not show you anything useful.
If that doesn't work, we can use strace
(a system call tracer) to figure out exactly what's going on. Run slapd
like this:
strace -o /tmp/trace -f -s 1024 slapd -u ldap -g ldap -d 7
When it dies, you'll have a file /tmp/trace
containing all the system calls from slapd
. For the curious -f
makes strace follow forks (not really necessary in this case, but it's my default), and -s 1024
makes strace print up to 1024 bytes of string arguments in the trace log.
Now, use grep
to look for references to company.crt
in this file. In theory you'll find something that looks like this if their is a permission problem:
open("/tmp/company.crt", O_RDONLY) = -1 EACCES (Permission denied)
Or something like this if the file is missing:
open("/tmp/company.crt", O_RDONLY) = -1 ENOENT (No such file or directory)
A successful open looks like this:
open("/tmp/company.crt", O_RDONLY) = 3
Where that 3
is the file descriptor returned by open (and will probably be some other positive integer).
Take a look and see if something obvious jumps out. Let me know if that doesn't help.
Solution 2
You shouldn't set /etc/openldap to 777. Permissions are necessary to make things work correctly sometimes. I would suggest changing it back to 755.
You might have the incorrect user and or permission on cacerts
drwxr-xr-x 3 root root 4096 Apr 19 2007 cacerts/
Related videos on Youtube
Jake Wilson
Updated on September 18, 2022Comments
-
Jake Wilson over 1 year
Recently needed to restart OpenLDAP on one of our servers. When I restart the service, the command prompt just sits there waiting for something. I never get the
[ OK ]
. If ICTRL+C
out of it, it says...killed. /etc/openldap/cacerts/company.crt is not readable by "ldap[WARNING]
Just to prove a point, I made
/etc/openldap
777 recursively. I still get the error.I don't see anything in
/var/log
changing to give me some feedback. Where do I need to look to fix this?This is an old server running Fedora 8 (ya I know, blame the previous IT guy).
-
Kyle Smith almost 13 yearsIs SELinux enabled? This smells like SELinux.
-
Jake Wilson almost 13 yearsSELinux status: disabled
-
Anarko_Bizounours almost 13 yearsdid you check with a ps that your service isn't running? Might be a zombie there, and that's why you can't restart openldap service.
-