5 Replies Latest reply: Jul 8, 2013 11:35 PM by Tyson Brown
Tyson Brown Level 1 Level 1 (5 points)

My OS X.7.4 Server machine is an Open Directory Master, used for providing external server authentication for FileMaker 12 Server.  My RapidSSL signed cert expired on June 30, and I've been trying to replace the cert with a new one... I BELIEVE I've gotten it right, BUT....

 

I cannot get OpenDirectory to restart.  When I go into my Server Admin and view my LDAP log, I see

 

Jul  8 21:37:09 filemaker slapd[905]: daemon: SLAP_SOCK_INIT: dtblsize=8192

Jul  8 21:37:09 filemaker slapd[905]: main: TLS init def ctx failed: -1

Jul  8 21:37:09 filemaker slapd[905]: slapd stopped.

Jul  8 21:37:19 filemaker slapd[915]: @(#) $OpenLDAP: slapd 2.4.23 (Feb 25 2012 19:47:01) $

                    root@melodie.apple.com:/private/var/tmp/OpenLDAP/OpenLDAP-186.4~2/servers/slapd

 

Repeated over and over again.  I KNOW this has something to do with my cert (after I googled it), but I'm not sure what to do...  I obtained the signed cert, I added my intermediate cert from RapidSSL to the keychain, but I saw that there were TWO different certs listed at the RapidSSL support site, here:  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&id=AR1548, a primary and a secondary.... When I tried adding the secondary (copied the cert off their download site and dragged it over the keychain) it gave me an error...  I'm sorry I don't have a screen capture of it as I wasn't thinking clearly enough to do that...

 

I'm not particularly openLDAP literate, so be patient with me... Any suggestions about what the error means, how to resolve it and how to get my LDAP back up and going would be appreciated...


Mac mini, Mac OS X (10.7.4), Mac Mini Server (Mid-2012)
  • 1. Re: slapd errors preventing OpenDirectory service from starting?
    Tyson Brown Level 1 Level 1 (5 points)

    One more not very positive note... no, I don't have a backup of my OD database. 

  • 2. Re: slapd errors preventing OpenDirectory service from starting?
    Tyson Brown Level 1 Level 1 (5 points)

    Okay, so doing a bit more digging tonight, I found this thread in the 10.6 discussions

     

    https://discussions.apple.com/thread/2644217?start=0&tstart=0, that provided me with the command for manually starting slapd

     

    sudo /usr/libexec/slapd -d -1

     

    Which gave me THIS bit of error message

     

    TLS: could not load verify locations (file:`/etc/certificates/[myservername].ECA88C7518AEDE947AAC94D9A259D1B2E562116 9.chain.pem',dir:`').

    TLS: error:02001002:system library:fopen:No such file or directory /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:126

    TLS: error:2006D080:BIO routines:BIO_new_file:no such file /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:129

    TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/x509/by_file.c:274

    main: TLS init def ctx failed: -1

     

    Which, according to the thread I looked at above MAY mean that indeed slapd/LDAP cannot find my certificate.  Sure enough, when I look in /etc/certificates I cannot find the certificate that is being called above.  I CAN find ones that I added tonight... Any suggestions about how to correct the error above would be appreciated....

  • 3. Re: slapd errors preventing OpenDirectory service from starting?
    Tyson Brown Level 1 Level 1 (5 points)

    When I issue  sudo slapconfig -getldapconfig

     

    I get

     

    Search base: dc=[mydc],dc=[mydc],dc=[mydc

    Database: /var/db/openldap/openldap-data

    Maximum search results: 11000

    Search timeout: 60

    SSL: on

    SSL CA certificate: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.chain .pem

    SSL certificate: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.cert. pem

    SSL key: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.key.p em

    Backend: config

     

    and when I go into /etc/certificates I see

     

    -rw-r--r--    1 root  wheel      1850 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.cert.pem

    -rw-r--r--    1 root  wheel      5653 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.chain.pem

    -rw-r-----    1 root  certusers  3593 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.concat.pem

    -rw-r-----    1 root  certusers  1743 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.key.pem

     

    What is this concat.pem?  Is it throwing the error because something somewhere is NOT caling the right cert?

  • 4. Re: slapd errors preventing OpenDirectory service from starting?
    Tyson Brown Level 1 Level 1 (5 points)

    So, when I issued "sudo nano /etc/openldap/slapd.d/cn=config.ldif"  I got THESE lines at the end of the file.... Which do not refer to ANY of the files listed in /etc/certificates/

     

     

     

    olcTLSCertificateFile: /etc/certificates/[myservername].ECA88C7518AEDE947A

    AC94D9A259D1B2E5621169.cert.pem

    olcTLSCACertificateFile: /etc/certificates/[myservername].ECA88C7518AEDE94

    7AAC94D9A259D1B2E5621169.chain.pem

    olcTLSCertificateKeyFile: /etc/certificates/[myservername].ECA88C7518AEDE9

    47AAC94D9A259D1B2E5621169.key.pem

    olcTLSCertificatePassphraseTool: /usr/sbin/certadmin --get-private-key-passphr

    ase /etc/certificates/[myservername].ECA88C7518AEDE947AAC94D9A259D1B2E562

    1169.key.pem

    entryCSN: 20120628190714.643255Z#000000#001#000000

     

    And the entryCSN timestamp seems to refer to last year....

     

    So, do I take the plunge and remove these lines? I don't know if I can make this any worse...  Constructive suggestions are welcome!

  • 5. Re: slapd errors preventing OpenDirectory service from starting?
    Tyson Brown Level 1 Level 1 (5 points)

    Okay, I did it!  I REMOVED the five lines and my ldap started up immediately!  Happy Happy happy!  Now I go do an LDAP database backup!