Startup And Shutdown Problems
Updated at July 27th, 2024
Table of Contents
Date: 11-04-2022 Updated 5/7/2024 R. Conover
Problem Determination
More often than not, an OpenLDAP error is caused by a (mis)configuration issue or a misunderstanding of what you are trying to implement and/or achieve.
Checklist
The following checklist/questions can help track down your OpenLDAP issue. Please try to use if before posting to the list, or in the rare circumstances of reporting a bug.
1. Use the slaptest tool to verify configurations before starting slapd
2. Verify that slapd is listening to the specified port(s) (389 and 636, generally) before trying the ldapsearch
3. Can you issue an ldapsearch?
4. If not, have you enabled complex ACLs without fully understanding them?
5. Do you have a system wide LDAP setting pointing to the wrong LDAP Directory?
6. Are you using TLS?
7. Have your certificates expired?
8. If an improper shutdown occurred, check the logs
9. systemctl status slapd.service and journalctl -xe can be utilized to see what is wrong.
systemctl Example:
systemctl status -l slapd.service Results:
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2023-05-14 15:52:24 UTC; 57s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 1037 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 1022 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com runuser[1025]: pam_unix(runuser:session): session closed for user ldap
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: main: TLS init def ctx failed: -1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: slapd stopped.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com slapd[1037]: connections_destroy: nothing to destroy.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service: control process exited, code=exited status=1
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Failed to start OpenLDAP Server Daemon.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: Unit slapd.service entered failed state.
May 14 15:52:24 ip-172-26-65-165.support.fuse.asok.com systemd[1]: slapd.service failed.In the above, we can see that there is a TLS issue, most likely from expired certs.
If All Else Fails
Check the openLDAP site under the admin guide section for your specific version here: https://www.openldap.org/doc/
Get on the mailing list: https://www.openldap.org/lists/
Check the technical support page: https://www.openldap.org/support/