Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-5202: Failed to start slapd with ldap TLS support via Centrify ldapproxy

Authentication Service ,  

12 April,21 at 10:32 PM

Applies to: Centrify DirectControl version 5.2.2 (Suite 2015) and higher on all platforms.

Failed to start slapd with ldap TLS support when started via centrify-ldapproxy

When slapd is started via centrify-ldapproxy script with ldap TLS support (-h ldaps:///), the process starts without the added ldap TLS support parameters.


Good: /usr/share/centrifydc/libexec/slapd -h ldaps:///
Bad: /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///

Workaround(for versions of DirectControl <5.2.3):

There are three options to work around this issue:
1. Provide a script where user (root) can modify the startup method to add the required '-h ldaps:///'
2. Create a trigger file within /etc/centrifydc/openldap which will allow the startup method to interrogate and choose '-h ldap:///' or '-h ldaps:///'
3. Correlation of (2), you may be able to reference a standalone configuration file to pick up all needed startup parameters.


As of Suite 2015.1, there is an added option in the startup script for ldapproxy: "STARTUP_OPTS". The service's startup script will source this option and pass the indicated startup options to slapd.

Example: To add the option for TLS support, the following method can be used:

# svccfg -s centrify-ldapproxy setprop 'slapd/STARTUP_OPTS=("-h" "ldaps:///")'

-- Demo -- 
root@vantaa-sol11:/usr/share/centrifydc/bin# svccfg -s centrify-ldapproxy setprop 'slapd/STARTUP_OPTS=("-h" "ldaps:///")'
root@vantaa-sol11:/usr/share/centrifydc/bin# centrify-ldapproxy start
Centrify-ldapproxy Service started.
root@vantaa-sol11:/usr/share/centrifydc/bin# ps -ef | grep slap
    root  9740     1   0 11:11:16 ?           0:00 /usr/share/centrifydc/libexec/slapd -h ldaps:///

# chssys -a "-d 0 -h ldaps:///" -s centrify-ldapproxy

-- Demo --
bash-4.4# chssys -a "-d 0 -h ldaps:///" -s centrify-ldapproxy
0513-077 Subsystem has been changed.
bash-4.4# /usr/share/centrifydc/bin/centrify-ldapproxy start
Centrify-ldapproxy Service started.
bash-4.4# ps -ef | grep slap
    root 13107362 31064274   0 15:06:26  pts/0  0:00 grep slapd
    root 27918452 15728830   0 15:06:16      -  0:00 /usr/share/centrifydc/libexec/slapd -d 0 -h ldaps:///

# echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/rc.config.d/centrify-ldapproxy

-- Demo --
[root@au_64rhel5 init.d]# echo "STARTUP_OPTS=\"-h ldaps:///\"" >> /etc/sysconfig/centrify-ldapproxy
[root@au_64rhel5 init.d]# /etc/init.d/centrify-ldapproxy start
Starting Centrify ldapproxy:                               [  OK  ]
[root@au_64rhel5 init.d]# ps -ef | grep slap
    root     16645     1  0 11:15 ?        00:00:00 /usr/share/centrifydc/libexec/slapd -h ldaps:///