Openldap fix a incorrect checksum

· Read in about 1 min · (186 words)

A while ago we ran into an issue with an incorrect checksum in a openldap ldif file. This means that someone has hand edited the file and caused the checksum to change without updating the checksum itself. There is a nice warning in the file but of course we as sysadmins know better that to read warnings :-/

[[email protected] ~]# service slapd start
Checking configuration files for slapd:                    [WARNING]
57b5d8d1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif"
config file testing succeeded
Starting slapd:

The fix is to remove the incorrect data and replace it with a new checksum.

yum install perl-Archive-Zip
grep -v '^#' /etc/openldap/slapd.d/cn\=config.ldif > /tmp/cleaned.ldif
crc32  /tmp/cleaned.ldif

The top of the file should look like this.

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 57b5d89c
dn: cn=config
objectClass: olcGlobal
cn: config

To prevent this issue in the future you should use something like ldapvi.

ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config

ldapvi -h ldapi:/// -Y EXTERNAL -b dc=example,dc=com

Troubleshooting run in foreground.

slapd -h ldaps://0.0.0.0:1636/ -F /etc/openldap/slapd.d/ -u ldap -d7

From another terminal.

echo '' | openssl s_client -showcerts -connect 0.0.0.0:1636|openssl x509 -text