我正在尝试在我的 centos7 节点上设置一个新的 OpenLDAP\
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
节点有半生不熟的 OpenLDAP,我使用以下命令清理了它
systemctl stop slapd
systemctl disable slapd
yum -y remove openldap-servers openldap-clients
rm -rf /var/lib/ldap
userdel ldap
rm -rf /etc/openldap
然后我再次使用
yumyum install openldap openldap-servers -y
yum install openldap-clients -y
rpm -qa | grep openldap
openldap-2.4.44-25.el7_9.x86_64
openldap-servers-2.4.44-25.el7_9.x86_64
openldap-devel-2.4.44-25.el7_9.x86_64
openldap-clients-2.4.44-25.el7_9.x86_64
在此之后;我正在尝试启动失败的 slapd
systemctl start slapd
Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
systemctl status -l slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2023-05-14 15:52:24 UTC; 57s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 1037 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 1022 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session closed for user ldap
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: main: TLS init def ctx failed: -1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: slapd stopped.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: connections_destroy: nothing to destroy.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service: control process exited, code=exited status=1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Failed to start OpenLDAP Server Daemon.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Unit slapd.service entered failed state.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service failed.
这里有一些疑似 TLS 相关的配置
ls -l /etc/openldap/certs/
total 12
-rw-r--r--. 1 ldap ldap 1371 May 14 15:27 myCA.pem
-rw-r--r--. 1 ldap ldap 1379 May 14 15:31 OpenLDAP Server
-rw-r--r--. 1 ldap ldap 1675 May 14 15:30 password
file /etc/openldap/certs/myCA.pem /etc/openldap/certs/OpenLDAP\ Server /etc/openldap/certs/password
/etc/openldap/certs/myCA.pem: PEM certificate
/etc/openldap/certs/OpenLDAP Server: PEM certificate
/etc/openldap/certs/password: PEM RSA private key
grep -R olcTLS /etc/openldap/slapd.d
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password
我怀疑是一些以前半生不熟的 OpenLDAP 设置导致了 TLS 错误
main: TLS init def ctx failed: -1olcTLSCACertificatePath: /etc/openldap/certs/etc/openldap/certs/myCA.pem我决定使用 vi 在下面的行中进行评论并且它有效,但我认为这不是最好的方法。
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password