OpenLDAP: TLS init def ctx failed: -207

Today I upgraded OpenLDAP in order to fix the insufficient input validation security problem (DSA-1943-1).
Unfortunately OpenLDAP refused to start after the upgrade.

After adding

loglevel config stats

to the configuration file it gave me at least the meaningful error message:

TLS init def ctx failed: -207.

The research in the mailinglist led to the solution. It turned out that the openldap user had insufficient permissions for reading the TLS private key.

Tags: