I broke my LDAP database again. I was setting up the password policies (lockout after 3 failed tries, that sort of thing) and after clicking OK on the YaST module it failed to close, it just hung. After that the ldap-server module wouldn’t open it would just hang permanently. I tinkered with it for a while but I ended up just rebuilding the database. I figured out which password policy setting broke the database, but now whenever I go to install the TLS/SSL certificates (which I found out are required the last time I tried this) I get a new error. The LDAP service fails to start and if I look in systemctl ldap.service status I see the line:
[slapd]main: TLS init def ctx failed: -1
and it also says that slapd has a status of 7. I’ve been able to find out very little about the TLS error, but I saw at http://www.zytrax.com/books/ldap/ch12/ that the 7 exit code is “LDAP_STRONG_AUTH_NOT_SUPPORTED” which means “The LDAP server does not support strong authentication”. I’m not really sure what that means, because LDAP interfaces with SSSD, which requires an encrypted channel, and I’m using the YaST module to setup the server which should configure it to use strong authentication when I try to setup the TLS certs.
I’m following the same steps that I mentioned in posts 3/5 on this thread:
I’m using the private.pem file for the CA certificate and the certificate, and yoda.pem for the key certificate.
I’ve never seen this error before so I originally thought it was a one-off thing. I’ve tried rebuilding the database, reinstalling the packages, deleting everything in /etc/openldap and /var/lib/ldap and then reinstalling the packages, and even completely reinstalling OpenSUSE on my server, but I still get this error whenever I try to setup TLS certificates.
The server and all the computers connected to it are all running 13.1. I’ve looked at using Samba and Kerberos to authenticate the users but since all the computers are running Linux those don’t seem to options and I can’t use NIS because of the security holes.