Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5202: Failed to start slapd with ldap TLS support via Centrify ldapproxy

Authentication Service ,  

12 April,21 at 10:32 PM

Applies to: Centrify DirectControl version 5.2.2 (Suite 2015) and higher on all platforms.
 

Problem:
 
Failed to start slapd with ldap TLS support when started via centrify-ldapproxy
 
 
Cause:

When slapd is started via centrify-ldapproxy script with ldap TLS support (-h ldaps:///), the process starts without the added ldap TLS support parameters.

Example:

Good: /usr/share/centrifydc/libexec/slapd -h ldaps:///
Bad: /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///
  

Workaround(for versions of DirectControl <5.2.3):

There are three options to work around this issue:
 
1. Provide a script where user (root) can modify the startup method to add the required '-h ldaps:///'
 
2. Create a trigger file within /etc/centrifydc/openldap which will allow the startup method to interrogate and choose '-h ldap:///' or '-h ldaps:///'
 
3. Correlation of (2), you may be able to reference a standalone configuration file to pick up all needed startup parameters.


Resolution:

As of Suite 2015.1, there is an added option in the startup script for ldapproxy: "STARTUP_OPTS". The service's startup script will source this option and pass the indicated startup options to slapd.

Example: To add the option for TLS support, the following method can be used:
 

Solaris:
# svccfg -s centrify-ldapproxy setprop 'slapd/STARTUP_OPTS=("-h" "ldaps:///")'

-- Demo -- 
root@vantaa-sol11:/usr/share/centrifydc/bin# svccfg -s centrify-ldapproxy setprop 'slapd/STARTUP_OPTS=("-h" "ldaps:///")'
root@vantaa-sol11:/usr/share/centrifydc/bin# centrify-ldapproxy start
Centrify-ldapproxy Service started.
root@vantaa-sol11:/usr/share/centrifydc/bin# ps -ef | grep slap
    root  9740     1   0 11:11:16 ?           0:00 /usr/share/centrifydc/libexec/slapd -h ldaps:///
----------

AIX:
# chssys -a "-d 0 -h ldaps:///" -s centrify-ldapproxy

-- Demo --
bash-4.4# chssys -a "-d 0 -h ldaps:///" -s centrify-ldapproxy
0513-077 Subsystem has been changed.
bash-4.4# /usr/share/centrifydc/bin/centrify-ldapproxy start
Centrify-ldapproxy Service started.
bash-4.4# ps -ef | grep slap
    root 13107362 31064274   0 15:06:26  pts/0  0:00 grep slapd
    root 27918452 15728830   0 15:06:16      -  0:00 /usr/share/centrifydc/libexec/slapd -d 0 -h ldaps:///
----------

RHEL/Debian/HPUX/SUSE/other:
# echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/rc.config.d/centrify-ldapproxy

-- Demo --
[root@au_64rhel5 init.d]# echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/sysconfig/centrify-ldapproxy
[root@au_64rhel5 init.d]# /etc/init.d/centrify-ldapproxy start
Starting Centrify ldapproxy:                               [  OK  ]
[root@au_64rhel5 init.d]# ps -ef | grep slap
    root     16645     1  0 11:15 ?        00:00:00 /usr/share/centrifydc/libexec/slapd -h ldaps:///
----------

Related Articles

 articleKB-2291: Using DirectControl with Network Appliance (NetApp) Filers articleLDAP Proxy, and You: A Definitive Guide articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-4034: ldapproxy ERROR: Failed to retrieve _objectCategory from object: No such attribute articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-7732: LDAP Proxy - Allowing remote hosts articleIntegration of legacy platforms with Centrify Server Suite - agentless integration w/LDAP part 3 articleIntegration of legacy platforms with Centrify Server Suite - agentless integration w/LDAP part 2 articleKB-5902: Ldapproxy is rejecting query with authentication request