5 Replies Latest reply: Jul 8, 2013 11:35 PM by Tyson Brown
Tyson Brown Level 1 (5 points)

My OS X.7.4 Server machine is an Open Directory Master, used for providing external server authentication for FileMaker 12 Server.  My RapidSSL signed cert expired on June 30, and I've been trying to replace the cert with a new one... I BELIEVE I've gotten it right, BUT....


I cannot get OpenDirectory to restart.  When I go into my Server Admin and view my LDAP log, I see


Jul  8 21:37:09 filemaker slapd[905]: daemon: SLAP_SOCK_INIT: dtblsize=8192

Jul  8 21:37:09 filemaker slapd[905]: main: TLS init def ctx failed: -1

Jul  8 21:37:09 filemaker slapd[905]: slapd stopped.

Jul  8 21:37:19 filemaker slapd[915]: @(#) $OpenLDAP: slapd 2.4.23 (Feb 25 2012 19:47:01) $



Repeated over and over again.  I KNOW this has something to do with my cert (after I googled it), but I'm not sure what to do...  I obtained the signed cert, I added my intermediate cert from RapidSSL to the keychain, but I saw that there were TWO different certs listed at the RapidSSL support site, here:  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&id=AR1548, a primary and a secondary.... When I tried adding the secondary (copied the cert off their download site and dragged it over the keychain) it gave me an error...  I'm sorry I don't have a screen capture of it as I wasn't thinking clearly enough to do that...


I'm not particularly openLDAP literate, so be patient with me... Any suggestions about what the error means, how to resolve it and how to get my LDAP back up and going would be appreciated...

Mac mini, Mac OS X (10.7.4), Mac Mini Server (Mid-2012)
  • Tyson Brown Level 1 (5 points)

    One more not very positive note... no, I don't have a backup of my OD database. 

  • Tyson Brown Level 1 (5 points)

    Okay, so doing a bit more digging tonight, I found this thread in the 10.6 discussions


    https://discussions.apple.com/thread/2644217?start=0&tstart=0, that provided me with the command for manually starting slapd


    sudo /usr/libexec/slapd -d -1


    Which gave me THIS bit of error message


    TLS: could not load verify locations (file:`/etc/certificates/[myservername].ECA88C7518AEDE947AAC94D9A259D1B2E562116 9.chain.pem',dir:`').

    TLS: error:02001002:system library:fopen:No such file or directory /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:126

    TLS: error:2006D080:BIO routines:BIO_new_file:no such file /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:129

    TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib /SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/x509/by_file.c:274

    main: TLS init def ctx failed: -1


    Which, according to the thread I looked at above MAY mean that indeed slapd/LDAP cannot find my certificate.  Sure enough, when I look in /etc/certificates I cannot find the certificate that is being called above.  I CAN find ones that I added tonight... Any suggestions about how to correct the error above would be appreciated....

  • Tyson Brown Level 1 (5 points)

    When I issue  sudo slapconfig -getldapconfig


    I get


    Search base: dc=[mydc],dc=[mydc],dc=[mydc

    Database: /var/db/openldap/openldap-data

    Maximum search results: 11000

    Search timeout: 60

    SSL: on

    SSL CA certificate: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.chain .pem

    SSL certificate: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.cert. pem

    SSL key: /etc/certificates/[myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.key.p em

    Backend: config


    and when I go into /etc/certificates I see


    -rw-r--r--    1 root  wheel      1850 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.cert.pem

    -rw-r--r--    1 root  wheel      5653 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.chain.pem

    -rw-r-----    1 root  certusers  3593 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.concat.pem

    -rw-r-----    1 root  certusers  1743 Jul  8 22:04 [myservername].0F091B116FF7384B23CF6CDFDD86C5F6FB79689B.key.pem


    What is this concat.pem?  Is it throwing the error because something somewhere is NOT caling the right cert?

  • Tyson Brown Level 1 (5 points)

    So, when I issued "sudo nano /etc/openldap/slapd.d/cn=config.ldif"  I got THESE lines at the end of the file.... Which do not refer to ANY of the files listed in /etc/certificates/




    olcTLSCertificateFile: /etc/certificates/[myservername].ECA88C7518AEDE947A


    olcTLSCACertificateFile: /etc/certificates/[myservername].ECA88C7518AEDE94


    olcTLSCertificateKeyFile: /etc/certificates/[myservername].ECA88C7518AEDE9


    olcTLSCertificatePassphraseTool: /usr/sbin/certadmin --get-private-key-passphr

    ase /etc/certificates/[myservername].ECA88C7518AEDE947AAC94D9A259D1B2E562


    entryCSN: 20120628190714.643255Z#000000#001#000000


    And the entryCSN timestamp seems to refer to last year....


    So, do I take the plunge and remove these lines? I don't know if I can make this any worse...  Constructive suggestions are welcome!

  • Tyson Brown Level 1 (5 points)

    Okay, I did it!  I REMOVED the five lines and my ldap started up immediately!  Happy Happy happy!  Now I go do an LDAP database backup!