新安装 CentOS 6.3,openldap-servers-2.4.23。生成新的证书请求,签署证书,启动 slapd。ldapsearch 对 ldapi:/// 和 ldap:/// 做出响应。但是,只要对 ldaps:/// 发出请求,slapd 进程就会占用所有可用 CPU 并且从不响应。
strace -p -ff 在无限循环中产生以下结果:
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21
[pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0
[pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704
[pid 5978] close(21) = 0
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21
[pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0
[pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704
[pid 5978] close(21) = 0
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21
[pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0
[pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704
[pid 5978] close(21) = 0
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21
[pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0
[pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704
[pid 5978] close(21) = 0
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21
[pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0
[pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704
[pid 5978] close(21)
我已经重新生成证书只是为了确保它们没有被损坏,但没有效果。
答案1
搞清楚了。显然,openldap 会根据证书在目录结构中的位置以不同的方式加载证书。如果证书在 /etc/openldap/certs 目录中 - 它会将其视为 MozNSS,之后会完全无法加载任何内容。如果证书在 /etc/pki 中,它会使用 OpenSSL 并顺利加载所有内容。