LDAP TLS error

I broke my LDAP database again. I was setting up the password policies (lockout after 3 failed tries, that sort of thing) and after clicking OK on the YaST module it failed to close, it just hung. After that the ldap-server module wouldn’t open it would just hang permanently. I tinkered with it for a while but I ended up just rebuilding the database. I figured out which password policy setting broke the database, but now whenever I go to install the TLS/SSL certificates (which I found out are required the last time I tried this) I get a new error. The LDAP service fails to start and if I look in systemctl ldap.service status I see the line:

[slapd]main: TLS init def ctx failed: -1

and it also says that slapd has a status of 7. I’ve been able to find out very little about the TLS error, but I saw at http://www.zytrax.com/books/ldap/ch12/ that the 7 exit code is “LDAP_STRONG_AUTH_NOT_SUPPORTED” which means “The LDAP server does not support strong authentication”. I’m not really sure what that means, because LDAP interfaces with SSSD, which requires an encrypted channel, and I’m using the YaST module to setup the server which should configure it to use strong authentication when I try to setup the TLS certs.
I’m following the same steps that I mentioned in posts 3/5 on this thread:
I’m using the private.pem file for the CA certificate and the certificate, and yoda.pem for the key certificate.
I’ve never seen this error before so I originally thought it was a one-off thing. I’ve tried rebuilding the database, reinstalling the packages, deleting everything in /etc/openldap and /var/lib/ldap and then reinstalling the packages, and even completely reinstalling OpenSUSE on my server, but I still get this error whenever I try to setup TLS certificates.
The server and all the computers connected to it are all running 13.1. I’ve looked at using Samba and Kerberos to authenticate the users but since all the computers are running Linux those don’t seem to options and I can’t use NIS because of the security holes.

I’ve only experienced what you describe once and it was caused by a Kerberos problem. In other words, “other” authentication methods are considered “less strong” and Kerberos is required for strong authentication.

Sorry, I don’t really have much experience with what you’re looking at so can’t speculate further on exactly what you should do.


Well I’m not using Kerberos, I’m trying to setup LDAP using the YaST module. What’s really confusing me is that I was able to get it working before, without Kerberos, and as far as I know I’m following the same steps as before.
Of course, obviously something is different I just can’t figure out what.

One more thing I can add - This appears to be a change in the LDAP server functionality. Currently, the LDAP server service won’t even start properly, but when I was setting this up the first time the server would work even if the certificates were wrong. In that case, clients wouldn’t be able to connect but the server would start running and responding to requests.