A while ago we ran into an issue with an incorrect checksum in a openldap ldif file. This means that someone has hand edited the file and caused the checksum to change without updating the checksum itself. There is a nice warning in the file but of course we as sysadmins know better that to read warnings :-/
[[email protected] ~]# service slapd start Checking configuration files for slapd: [WARNING] 57b5d8d1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif" config file testing succeeded Starting slapd:
The fix is to remove the incorrect data and replace it with a new checksum.
yum install perl-Archive-Zip grep -v '^#' /etc/openldap/slapd.d/cn\=config.ldif > /tmp/cleaned.ldif crc32 /tmp/cleaned.ldif
The top of the file should look like this.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 57b5d89c dn: cn=config objectClass: olcGlobal cn: config
To prevent this issue in the future you should use something like ldapvi.
ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config ldapvi -h ldapi:/// -Y EXTERNAL -b dc=example,dc=com
Troubleshooting run in foreground.
slapd -h ldaps://0.0.0.0:1636/ -F /etc/openldap/slapd.d/ -u ldap -d7
From another terminal.
echo '' | openssl s_client -showcerts -connect 0.0.0.0:1636|openssl x509 -text