> Okay, hm. Can you try this, preferably with daemontools: > > /usr/bin/setuidgid openldap /bin/cat </path/to/certs/certfiles> > > for every cert you believe the server should be able to read. It really > seems like the "openldap" user/group doesn't have permission to > something that it should.
I don't have daemontools on this system, but I temporarily changed the shell for the openldap user from /bin/false to /bin/bash and then su'd to openldap. $ id uid=100(openldap) gid=121(openldap) groups=121(openldap) Certificate Authority public cert was successful: $ /bin/cat /etc/ssl/certs/misumasu.dyndns.org_CA.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- LDAP server public cert was successful: $ /bin/cat /etc/ssl/certs/ldap.misumasu.dyndns.org.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- LDAP server private key cert was successful: $ /bin/cat /etc/ldap/private/ldap.misumasu.dyndns.org.pem -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- The PID file and args files used by Debian were accessible /var/run/slapd/slapd.pid /var/run/slapd/slapd.args And all the database files were accessible $ ls -l /var/lib/ldap/ total 1852 -rw-r--r-- 1 openldap openldap 96 Aug 5 21:30 DB_CONFIG -rw------- 1 openldap openldap 8192 Aug 5 21:30 __db.001 -rw------- 1 openldap openldap 2629632 Aug 5 21:30 __db.002 -rw------- 1 openldap openldap 98304 Aug 5 21:30 __db.003 -rw------- 1 openldap openldap 868352 Aug 5 21:30 __db.004 -rw------- 1 openldap openldap 24576 Aug 5 21:30 __db.005 -rw-r--r-- 1 openldap openldap 2048 Aug 8 22:40 alock -rw------- 1 openldap openldap 16384 Aug 8 22:15 cn.bdb -rw------- 1 openldap openldap 16384 Aug 5 23:55 displayName.bdb -rw------- 1 openldap openldap 16384 Aug 8 22:40 dn2id.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 gidNumber.bdb -rw------- 1 openldap openldap 65536 Aug 8 22:40 id2entry.bdb -rw------- 1 openldap openldap 817172 Aug 8 22:40 log.0000000001 -rw------- 1 openldap openldap 8192 Aug 8 22:39 memberUid.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 objectClass.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 sambaDomainName.bdb -rw------- 1 openldap openldap 8192 Aug 5 23:55 sambaPrimaryGroupSID.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 sambaSID.bdb -rw------- 1 openldap openldap 8192 Aug 5 23:55 sn.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 uid.bdb -rw------- 1 openldap openldap 8192 Aug 8 22:39 uidNumber.bdb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]