新安装的CentOS 6.3,openldap-servers-2.4.23。 生成一个新的证书请求,签署证书,开始slapd。 ldapsearch响应ldapi:///和ldap:///。 但是,只要在ldaps:///上发出请求,slapd进程就会占用所有可用的CPU,并且从不响应。
strace -p -ff会在无限循环中产生以下结果:
[pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21 [pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0 [pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704 [pid 5978] close(21) = 0 [pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21 [pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0 [pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704 [pid 5978] close(21) = 0 [pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21 [pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0 [pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704 [pid 5978] close(21) = 0 [pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21 [pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0 [pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704 [pid 5978] close(21) = 0 [pid 5978] open("/etc/openldap/certs/server.key", O_RDONLY) = 21 [pid 5978] stat("/etc/openldap/certs/server.key", {st_mode=S_IFREG|0640, st_size=1704, ...}) = 0 [pid 5978] read(21, "-----BEGIN PRIVATE KEY-----\nMIIE"..., 1704) = 1704 [pid 5978] close(21) 我已经重新生成了证书,以确保他们不腐败,没有喜悦。
弄清楚了。 显然,openldap根据它们在目录结构中的位置来加载不同的证书。 如果它们位于/ etc / openldap / certs目录中,则将它们视为MozNSS,之后将无法加载任何内容。 如果他们在/ etc / pki中,它使用OpenSSL并加载一切就好了。