Ubuntu OpenLDAP: TLS init def ctx failed: -1

Question

I had a working OpenLDAP but broke it while trying to configure SSL using the instructions here: https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html. Now I'm getting the following error when I try to start ldap with -d -1:

TLS: only one of certfile and keyfile specified

main: TLS init def ctx failed: -1

Being a newbie, I think it's entirely possible that I messed something up (I have a concern that I did the ldapmodify step from the instructions above wrong), but I don't know how to undo what I've done. I can't start ldapmodify b/c the server is down. So I have two questions:

1. What could be causing this error?
2. How can I get back to my previously working (but no SSL) version of OpenLDAP?

Note: I am not a *nix admin and was only trying to get an SSL version of OpenLDAP to test my app against. So please talk slowly and use big words!

Answer 1

I don't have access to my openldap server right now, but I'm pretty sure you can change this directly in the fancy new slapd.d/ directory, even though it is not recommended.

See what you get when you run (assuming this is the directory containing your slapd configuration) this:

grep -R olcTLS /etc/openldap/slapd.d

Answer 2

According to the above instructions:

If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key.

Answer 3

Ran into the same error myself, used @fluffywhite's answer, grep -R /etc/openldap/slapd.d and found the ldap server was using a different CA file, and the CA in that file had expired.

olcTLSCACertificateFile had the path to the CA file slapd was using.

Replaced the CA file with the correct cacert.pem, and slapd started successfully.