1 Topic by misceh

  • misceh
  • Member
  • Offline
  • Registered: 2015-02-03
  • Posts: 22

Topic: Centos 7 Yum Updated OpenLdap not running anymore

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: centos-release-7-5.1804.el7.centos.2.x86_64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I am planning to upgrade my iredmail 0.9.7 to 0.9.8.
Hence, i do a yum update for my centos first.
After yum update completed, i reboot my centos, i found that my iredadmin-Pro, SOGo both unable to login.
It's showing incorrect password for both websites.

For your information, i am using Let's Encrypt SSL cert and follow iredmail guidelines to create a symbolic link to the above paths.
I am able to use https to browse iredadmin-Pro and SOGo pages, login etc before i do the yum update.


I found that my ldap service is not running by running 'systemctl status slapd'
I turned on debug mode (loglevel 256) for openldap, checked the error code and found this:

Jun 20 22:07:27 testmail2 slapd[14036]: @(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $#012#011mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jun 20 22:07:27 testmail2 slapd[14036]: main: TLS init def ctx failed: -1
Jun 20 22:07:27 testmail2 slapd[14036]: slapd stopped.
Jun 20 22:07:27 testmail2 slapd[14036]: connections_destroy: nothing to destroy.

After did a search in iredmail forum, seems like it's related to SSL cert issue.

I comment out below lines in slapd.conf then restart the slapd service:
# TLS files.
TLSCACertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key

slapd service is active now, and i am able to login iredadmin-Pro, SOGo.

Please may i know is it okay if i keep comment out those 3 lines?

Any clue what's going on to my mail server?

Can i proceed on to upgrade my iredmail 0.9.7 to 0.9.8 follow the official guidelines?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Centos 7 Yum Updated OpenLdap not running anymore

misceh wrote:

Please may i know is it okay if i keep comment out those 3 lines?

It's ok, because no application connects to LDAP server through secure connection on same server.

misceh wrote:

Any clue what's going on to my mail server?

Is ssl cert file permission changed after package update? Or openldap config file modified after package update?

3 Reply by misceh

  • misceh
  • Member
  • Offline
  • Registered: 2015-02-03
  • Posts: 22

Re: Centos 7 Yum Updated OpenLdap not running anymore

ZhangHuangbin wrote:
misceh wrote:

Please may i know is it okay if i keep comment out those 3 lines?

It's ok, because no application connects to LDAP server through secure connection on same server.

misceh wrote:

Any clue what's going on to my mail server?

Is ssl cert file permission changed after package update? Or openldap config file modified after package update?

Hi,

I compare the openldap config file with my backup they are the same.
Really don't know what causing the slapd service stop working after the yum update.
Anyway, thanks for your reply.
I will continue with the test on the 0.9.8 upgrade.

4 Reply by ensysit (edited by ensysit 2018-07-23 01:35:34)

  • ensysit
  • Member
  • Offline
  • Registered: 2017-01-22
  • Posts: 13

Re: Centos 7 Yum Updated OpenLdap not running anymore

Hi Zhang,

I am having EXACTLY the same problem. I am using the same exact CentOS 7.5 version and was running 0.9.8 fine since it came out. I just did a YUM UPDATE and after the SLAPD service would not start.

Jul 22 13:12:08 main: TLS init def ctx failed: -1
Jul 22 13:12:08 mail slapd[9056]: slapd destroy: freeing system resources.
Jul 22 13:12:08 mail slapd[9056]: slapd stopped.

I'm using Letsencrypt so I thought it was a permission on a file, or a folder, or a higher up folder, I tried everything. Even tried pointing to the specific files instead of the symlinks, no help.  I came across this post and tried to REM out the three TLS lines. Then the service started no problem.

Everything seems to be working ok now.

Any idea what's causing this ? It's pretty serious as NO ONE incluing the postmaster account could get e-mail or open the iRedMail Pro console while we were having this issue.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Centos 7 Yum Updated OpenLdap not running anymore

1: For OpenLDAP service, if you don't need to allow access from external network, it's ok to not use ssl cert (that means no STARTTLS support for port 389, and no ssl on 636).
2: make sure the service daemon user/group can access /etc/letsencrypt/live and /etc/letsencrypt/archive/.