I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this?
The CA LDAP Server stderr file shows:
[08/12|10:17:32.532204|1804000000000000] reading config file ./slapd.conf
[08/12|10:17:32.540654|1804000000000000] line 4 (hosturls ldap://xx.xx.x.x:xx)
[08/12|10:17:32.541503|1804000000000000] line 14 (TLSkeyringname secring)
.. ... ..
. ... ..
[08/12|10:17:33.761896|1804000000000000] TLS: could not initialize environment handle.
[08/12|10:17:33.794011|1804000000000000] TLS: Permission denied
The TLS error 'Permission denied' is likely related to the CA LDAP Server access to the Keyring specified in the CA LDAP Server slapd.conf TLSKeyringName parameter.
The ACFRPTRV report can be run against the SMF active at the time of the error.
Please check for violations related to the CA LDAP Server task.
In order for the CA LDAP Server to access the Keyring either a FACILITY or RDATALIB resource rule need to be created to allow access. Note the Resource Class RDATALIB resource ringowner.ringname.LST is checked first, if there is no rule then the Resource Class FACILITY resource IRR.DIGTCERT.LISTRING is checked. Either rule can be used, the difference is that the Resource Class RDATALIB check is Keyring specific whereas the Resource Class Facility check is for all Keyrings.
Example Rules
$KEY(IRR.DIGTCERT.LISTRING) TYPE(FAC)
UID(UID of CA LDAP Server) SERVICE(READ) ALLOW <-gives access to CA LDAP Server if it is the Keyring owner
UID(UID of CA LDAP Server) SERVICE(UPDATE) ALLOW <-gives access to CA LDAP Server if it is Not the Keyring owner
or
$KEY(ringowner) TYPE(RDA)
ringname.LST UID(UID of CA LDAP Server) ALLOW