A while ago we ran into an issue with an incorrect checksum in an OpenLDAP ldif file. This means that someone has hand edited the file and caused the checksum to change without updating the checksum itself. There is a nice warning in the file but of course we as sysadmins know better than to read warnings :-/
[root@auth01 ~]# service slapd start
Checking configuration files for slapd: [WARNING]
57b5d8d1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif"
config file testing succeeded
Starting slapd:
The fix is to remove the incorrect data and replace it with a new checksum.
yum install perl-Archive-Zip
grep -v '^#' /etc/openldap/slapd.d/cn\=config.ldif > /tmp/cleaned.ldif
crc32 /tmp/cleaned.ldif
The top of the file should look like this.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 57b5d89c
dn: cn=config
objectClass: olcGlobal
cn: config
To prevent this issue in the future you should use something like ldapvi.
ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
ldapvi -h ldapi:/// -Y EXTERNAL -b dc=example,dc=com
Troubleshooting run in foreground.
slapd -h ldaps://0.0.0.0:1636/ -F /etc/openldap/slapd.d/ -u ldap -d7
From another terminal.
echo '' | openssl s_client -showcerts -connect 0.0.0.0:1636|openssl x509 -text