主题: openldap 無法啟動

CentOS 7 ,更新版本為kernel-3.10.0-862.el7.x86_64 後 , slapd 無法啟動.
# systemctl status slapd.service -l

● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 四 2018-05-10 19:06:02 CST; 1h 53min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 4007 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 3998 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

 5月 10 19:06:02 mail.mydomain.com runuser[4001]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
 5月 10 19:06:02 mail.mydomain.com runuser[4001]: pam_unix(runuser:session): session closed for user ldap
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $
                                                         mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: main: TLS init def ctx failed: -1
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: slapd stopped.
 5月 10 19:06:02 mail.mydomain.com slapd[4007]: connections_destroy: nothing to destroy.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: slapd.service: control process exited, code=exited status=1
 5月 10 19:06:02 mail.mydomain.com systemd[1]: Failed to start OpenLDAP Server Daemon.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: Unit slapd.service entered failed state.
 5月 10 19:06:02 mail.mydomain.com systemd[1]: slapd.service failed.

/var/log/openldap.log 

May 10 18:24:09 mail slapd[19840]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openld44/openldap-2.4.44/servers/slapd
May 10 18:24:09 mail slapd[19840]: slapd starting
May 10 18:24:11 mail slapd[19840]: conn=1000 fd=8 ACCEPT from PATH=/tmp/tmp.8ODsyGsYuv/socket (PATH=/tmp/tmp.8ODsyGsYuv/socket)
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND dn="" method=163
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=d,cn=external,cn=auth"
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 10 18:24:11 mail slapd[19840]: conn=1000 op=0 RESULT tag=97 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1000 op=1 ADD dn="cn=temporary"
May 10 18:24:11 mail slapd[19840]: conn=1000 op=1 RESULT tag=105 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1000 op=2 UNBIND
May 10 18:24:11 mail slapd[19840]: conn=1000 fd=8 closed
May 10 18:24:11 mail slapd[19840]: conn=1001 fd=8 ACCEPT from PATH=/tmp/tmp.8ODsyGsYuv/socket (PATH=/tmp/tmp.8ODsyGsYuv/socket)
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND dn="" method=163
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=d,cn=external,cn=auth"
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 10 18:24:11 mail slapd[19840]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SRCH base="cn=schema,cn=config,cn=temporary" scope=2 deref=0 filter="(&(olcObjectClasses=*'pwdpolicy'*)(!(otClasses=*'pwdpolicy'*'pwdmaxrecordedfailure'*))(!(olcAttributeTypes=*'pwdmaxrecordedfailure'*)))"
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SRCH attr=dn olcObjectClasses
May 10 18:24:11 mail slapd[19840]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 10 18:24:11 mail slapd[19840]: conn=1001 op=2 UNBIND
May 10 18:24:11 mail slapd[19840]: conn=1001 fd=8 closed
May 10 18:24:11 mail slapd[19840]: daemon: shutdown requested and initiated.
May 10 18:24:11 mail slapd[19840]: slapd shutdown: waiting for 0 operations/tasks to finish
May 10 18:24:11 mail slapd[19840]: slapd stopped.
May 10 18:24:11 mail slapd[32729]: daemon: shutdown requested and initiated.
May 10 18:24:11 mail slapd[32729]: slapd shutdown: waiting for 0 operations/tasks to finish
May 10 18:24:11 mail slapd[32729]: slapd stopped.

此為 loglevel    2  ; 改為loglevel    128  log內容相同
後面一直出現:
May 10 18:24:12 mail slapd[19873]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openld44/openldap-2.4.44/servers/slapd
May 10 18:24:12 mail slapd[19873]: main: TLS init def ctx failed: -1
May 10 18:24:12 mail slapd[19873]: slapd stopped.
May 10 18:24:12 mail slapd[19873]: connections_destroy: nothing to destroy.

maillog

May 10 18:25:01 mail postfix/pickup[17470]: C2FB7C0000120: uid=0 from=<Fail2ban_Mail@mydomain.com>
May 10 18:25:01 mail postfix/proxymap[19761]: warning: dict_ldap_connect: Unable to bind to server ldap://127.0.0.1:389 with dn cn=vmail,dc=mydomain,dc=com: -1 (Can't contact LDAP server)
May 10 18:25:01 mail postfix/cleanup[19758]: warning: proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf lookup error for "Fail2ban_Mail@mydomain.com"
May 10 18:25:01 mail postfix/cleanup[19758]: warning: C2FB7C0000120: sender_bcc_maps lookup problem
May 10 18:25:01 mail postfix/pickup[17470]: warning: maildrop/B896CD1C4AC34: error writing C2FB7C0000120: queue file write error

#postqueue -p  有500多封信被 queue 住. 已被我刪除

/etc/openldap/slapd.conf 20170703 已被我更改為:

##TLSCACertificateFile /etc/pki/tls/certs/iRedMail.crt
#TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
#TLSCertificateFile /etc/pki/tls/certs/iRedMail.crt
#TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key

TLSCACertificateFile /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
TLSCertificateFile /etc/letsencrypt/live/mail.mydomain.com/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/mail.mydomain.com/privkey.pem

回复: openldap 無法啟動

我按照: https://docs.iredmail.org/backup.restore.html
重新restore ;仍無法啟動.

Thanks.

回复: openldap 無法啟動

我在另一台 VM 機; 做 yum update 更新後, 情形一樣;
可有人和我相同情況?

回复: openldap 無法啟動

openldap.log

May 12 10:58:28 mx slapd[79706]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 12 10:58:28 mx slapd[79706]: slapd starting
May 12 10:58:30 mx slapd[79706]: conn=1000 fd=8 ACCEPT from PATH=/tmp/tmp.mo1zcywvJn/socket (PATH=/tmp/tmp.mo1zcywvJn/socket)
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND dn="" method=163
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 12 10:58:30 mx slapd[79706]: conn=1000 op=0 RESULT tag=97 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1000 op=1 ADD dn="cn=temporary"
May 12 10:58:30 mx slapd[79706]: conn=1000 op=1 RESULT tag=105 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1000 op=2 UNBIND
May 12 10:58:30 mx slapd[79706]: conn=1000 fd=8 closed
May 12 10:58:30 mx slapd[79706]: conn=1001 fd=8 ACCEPT from PATH=/tmp/tmp.mo1zcywvJn/socket (PATH=/tmp/tmp.mo1zcywvJn/socket)
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND dn="" method=163
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 12 10:58:30 mx slapd[79706]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SRCH base="cn=schema,cn=config,cn=temporary" scope=2 deref=0 filter="(&(olcObjectClasses=*'pwdpolicy'*)(!(olcObjectClasses=*'pwdpolicy'*'pwdmaxrecordedfailure'*))(!(olcAttributeTypes=*'pwdmaxrecordedfailure'*)))"
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SRCH attr=dn olcObjectClasses
May 12 10:58:30 mx slapd[79706]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 12 10:58:31 mx slapd[79706]: conn=1001 op=2 UNBIND
May 12 10:58:31 mx slapd[79706]: conn=1001 fd=8 closed
May 12 10:58:31 mx slapd[79706]: daemon: shutdown requested and initiated.
May 12 10:58:31 mx slapd[79706]: slapd shutdown: waiting for 0 operations/tasks to finish
May 12 10:58:31 mx slapd[79706]: slapd stopped.
May 12 10:58:32 mx slapd[79735]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

回复: openldap 無法啟動

回復 VM 機 ;並比較兩台差異:
故障機
多出:
/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={1}mdb
/etc/openldap/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}syncprov.ldif
/usr/lib/debug/usr/sbin/sogo-slapd-sockd.debug
缺少:
/etc/systemd/system/multi-user.target.wants/slapd.service

缺少: 下 ln -s 後 ;  仍不行

多出: 應是 實體機及VM 機; 先前做 replication 時所產生的 ldif資料 .
但在做 yum update 時, 是早已關掉,不做同步了.
但那是去年時的測試 ; 之後yum update也做過至少一次kernel 更新.
所以問題應也不是這個.

在做yum update時, 有在做使用者信箱郵件搬移;
使用 TB ,搬移 pop 帳號到某 imap 帳號的信箱裡,
update 完成後, 發現 slapd 未啟動 , 此有可能造成 slapd 啟動失敗?

回复: openldap 無法啟動

問題我找到了只不過原先的 mail server 被我敲掉了!!!
是letsencrypt 引起的.

安裝過程:

mv /etc/pki/tls/private/iRedMail.key /etc/pki/tls/private/iRedMail.key.bak
mv /etc/pki/tls/certs/iRedMail.crt   /etc/pki/tls/certs/iRedMail.crt.bak


ln -s /etc/letsencrypt/live/mail.mydomain.com/privkey.pem   /etc/pki/tls/private/iRedMail.key
ln -s /etc/letsencrypt/live/mail.mydomain.com/cert.pem  /etc/pki/tls/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem  /etc/pki/tls/certs/fullchain.pem

/etc/openldap/slapd.conf

#TLSCACertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
TLSCertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key

/etc/openldap/ldap.conf

#TLS_CACERT /etc/pki/tls/certs/iRedMail.crt.bak
TLS_CACERT /etc/pki/tls/certs/fullchain.pem

openldap 不採用 letsencrypt 的憑証

slapd.conf 改回剛才mv的 iRedMail.key.bak 及iRedMail.crt.bak

不管在openldap 的正確設定為何?但不再出現下面的log

May 16 18:32:49 mail slapd[6690]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
May 16 18:32:49 mail slapd[6690]: main: TLS init def ctx failed: -1
May 16 18:32:49 mail slapd[6690]: slapd stopped.

回复: openldap 無法啟動

rain6966 写道:

openldap 不採用 letsencrypt 的憑証

事後想想,應不是好方法.

google 搜尋後,採用下面步驟,請版主(或版內高手)幫幫忙,有哪些地方需修正:

1).#新增 group 並把 ldap 加入ssl-cert  Group 內

useradd  ssl-cert
chown root:ssl-cert -R /etc/letsencrypt/{live,archive}
chmod 0650 -R {live,archive}
usermod -a -G ssl-cert ldap

2).#force renewal

certbot renew /etc/letsencrypt/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"  --force-renewal

#權限被更改
ll /etc/letsencrypt/archive/mail.mydomain.com/
總計 32

-rw-r-x---. 1 root ssl-cert 2163  5月 16 18:21 cert1.pem
-rw-r--r--. 1 root root     2159  5月 21 16:49 cert2.pem
-rw-r-x---. 1 root ssl-cert 1647  5月 16 18:21 chain1.pem
-rw-r--r--. 1 root root     1647  5月 21 16:49 chain2.pem
-rw-r-x---. 1 root ssl-cert 3810  5月 16 18:21 fullchain1.pem
-rw-r--r--. 1 root root     3806  5月 21 16:49 fullchain2.pem
-rw-r-x---. 1 root ssl-cert 1708  5月 16 18:21 privkey1.pem
-rw-r--r--. 1 root root     1704  5月 21 16:49 privkey2.pem

3).#使用--deploy-hook 修改權限

chmod 0650 -R /etc/letsencrypt/renewal-hooks/deploy 

#新增: ssl-cert.sh

#!/bin/sh
chown root:ssl-cert /etc/letsencrypt/archive/mail.mydomain.com/*
chmod 0650 /etc/letsencrypt/archive/mail.mydomain.com/*

#重新產生

/etc/letsencrypt/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --force-renewal --deploy-hook  /etc/letsencrypt/renewal-hooks/deploy/ssl-cert.sh

4). #更改cron job

#10  1 * * 1 /etc/letsencrypt/certbot  renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

10  1 * * 1 /etc/letsencrypt/certbot  renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"  --deploy-hook  /etc/letsencrypt/renewal-hooks/deploy/ssl-cert.sh

回复: openldap 無法啟動

OpenLDAP 使用 letsencrypt 是 ok 的,问题在于,每次 renew 之后都必须要 restart openldap,这个对你的 mail services 是否有影响?如果没有,那没问题。

OpenLDAP 作为仅仅在 localhost 使用的服务,不需要每隔3个月重启一次应该是比较好的。当然这全看你自己的需要。

回复: openldap 無法啟動

感謝版主回覆及提醒.

openldap 需在renew 後重起, 這我倒沒有注意這點.