Update killed LDAP server

I have openSUSE 13.2 running.
After a software update today which brought besides some others a new kernel I had to reboot the machine.
After the reboot the LDAP Server did not start anymore.

The message is:

main: TLS init def ctx failed: -1

Everything was fine before today’s update!
Don’t the opensuse guys test their things?

I am really getting fed up with SUSE. They changed the whole LDAP in yast with Version 13.2, so that I did not get new Clients configured anymore.
Now they destroyed my LDAP Server with their update.
That is simply too much!

You may be frustrated, but this is not the place to show this.

Either you want technical help from your fellow users and then this is the place (but without the frustration shown as you do), or you start a thread at General Chitchat or Soapbox (and even there there are restrictions on behaviour).

Thank you for the lecture.

Of course I am seeking technical help with the problem.
Regarding my frustration I reckon that this was shown in the wrong place according to the forum rules I hope my apologizes will be accepted.

The problem is really serious. LDAP is not working anymore on my server.
I had to reconfigure DHCP sever, DNS server, and many others to work without LDAP now.
I even had to created all the users locally now because the users in LDAP are not accessible any longer.

But this is only a interim workaround. I need the LDAP server in the network as a central point for the user management.

The technical problem I had described in the thread start.

Does anybody have a clue what is going wrong?
It looks that for some reason the certificates are not accepted any more but I cannot track this down.

Is your certificate(s) readable by the ldap user, ldap group?

-1 would indicate that it cannot read them for some reason, perhaps a permission issue.

Note:
There haven’t been any updates to the LDAP or KRB in the recent days so I’m guessing it’s caused by something unknown rather than an update.

Good point. I will check this.

However, I doubt. It was running before. So the access rights must have been OK at least on last start of LDAP server.

It did not work anymore after the restart of the machine. Assuming the access rights have changed some when before the restart then LDAP could not have read the certificates any more from then on already and should have issued an error message on every START TLS, means on every access of an LDAP client from a remote machine. There is nothing in the logs, however.

But I will double check (can do it only after some hours unfortunately).

This is going to sound really dumb but double check that your system clock is up to date - I ran into this issue a while back, took me a few moments to realize the clock was off by several hours.

Good point. Thank you for the hint. rotfl!

But actually the machine is running NTP and is synchronizing itself from an array of NTP servers:

server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org

and it is synchronizing the hardware clock from the NTP time.

No worries about the system clock therefore. lol!

I have checked it.
The directory of the certificates has drwxr-xr-x, the cert files have -rw-r–r-- so EVERYBODY can read them.

Isn’t here anybody how could give some advice to get the server running again with LDAP?

It is not much helpful for me to be lectured not to show my frustration here while those GLOBAL MODERATORs and WISE PENGUINs who did lecture me so perfectly about the formal style cannot give any technical help.

I need the LDAP server URGENTLY. Do I really need to migrate my entire server to CENTOS this Friday ? It was so easy to get LDAP server running with CentOS on a test machine. I do not understand why opensuse is so weired about that.

Yes, GLOBAL MODERATORs, you may suspend or ban me now - I do not care about that.

If I cannot use opensuse anymore then I will not need this forum here anymore anyhow.

On 2015-04-29 10:06, Suworow wrote:
>
> Isn’t here anybody how could give some advice to get the server running
> again with LDAP?

I’m sorry, I know close to nothing about ldap. However, may I suggest
you post to the opensuse mail list? It is a different crowd, possibly
with more sysadmin people.

I tried ldap long ago, but I could not make head or tails of the
documentation in the book (paper at the time). However, I heard that on
SLES it is very easy, everything is integrated with ldap. What we get in
openSUSE is possibly a dumbed down version.

Please try posting on the mail list :slight_smile:


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Is apparmor active by any chance? This is the first usual suspect in case of strange failures to access files.

I had the same problem.
The reason was that the certificate key file had been damaged.
After I restored the key file everythign was fine again.

The message “-1” shows that the cert files cannot be read…it does not tell the reason why …