[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?

To: openldap-software@openldap.org
Subject: Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 15 Aug 2008 17:02:29 -0700
In-reply-to: <48A615A6.6000801@symas.com> (Howard Chu's message of "Fri\, 15 Aug 2008 16\:47\:50 -0700")
Organization: The Eyrie
References: <382b79dc0808151028p2d7aedd8o438caf43b525cf02@mail.gmail.com> <alpine.BSO.1.10.0808151626550.1036@vanye.mho.net> <48A60834.8050201@symas.com> <382b79dc0808151626m7eb2e16aycdff5e8eebc31be8@mail.gmail.com> <48A615A6.6000801@symas.com>
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)

Howard Chu <hyc@symas.com> writes:
> Ben Wailea, openldap-software wrote:

>> msgs crossed in the mail, but seems to be the case.

>> again, any issues/problems running openldap as ldap:root, or root:root?

>> or is it 'better' to just make copies of the certs, chown the copies to
>> ldap:ldap, and live with multiple instances?

> Personally I would put ldap and apache into a group and make the key
> readable to that specific group.

Debian, for example, handles cert management by creating an ssl-cert group
and making private keys of certs in /etc/ssl/certs readable by that group
by default, so you can then add the system users for any software that
needs to read private SSL keys to the ssl-cert group.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Follow-Ups:
- Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>

References:
- openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>
- Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: Philip Guenther <guenther+ldapsoft@sendmail.com>
- Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: Howard Chu <hyc@symas.com>
- Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>
- Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: ldap client crypto question
Next by Date: Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
Index(es):
- Chronological
- Thread