slapd starts when called directly but won't start from systemctl

Question

running fedora 27 here. I'm attempting to run slapd from a fresh openldap install. When I try and run with systemctl start openldap, the daemon fails to start. journalctl gives the following output:

Jun 19 00:30:25  slapd[1325]: @(#) $OpenLDAP: slapd 2.4.45 (Dec  6 2017 14:25:36) $
                                                                    [email protected]:/builddir/build/BUILD/openldap-2.4.45/openldap-2.4.45/servers/slapd
Jun 19 00:30:25  slapd[1326]: mdb_db_open: database "dc=my-domain,dc=com" cannot be opened: Permission denied (13). Restore from backup!
Jun 19 00:30:25  slapd[1326]: backend_startup_one (type=mdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (13)
Jun 19 00:30:25  slapd[1326]: slapd stopped.
Jun 19 00:30:25  audit[1326]: AVC avc:  denied  { map } for  pid=1326 comm="slapd" path="/var/lib/ldap/lock.mdb" dev="xvda1" ino=1716389 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0

However, if I run the daemon directly with /usr/sbin/slapd -u ldap -d -1 -h "ldap:/// ldaps:/// ldapi:///", the daemon starts with no issue.

My systemctl script is below:

[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html

[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"

[Install]
WantedBy=multi-user.target
Alias=openldap.service

I've checked permissions on the ldap config directory and db directory and they seem correct for the ldap user:

[root@localhost operations]# ll /etc/openldap/slapd.d/cn\=config
total 24
drwxr-x---. 2 ldap ldap 4096 Jun 15 23:00 'cn=schema'
-rw-------. 1 ldap ldap  378 Jun 15 23:00 'cn=schema.ldif'
-rw-------. 1 ldap ldap  513 Jun 15 23:00 'olcDatabase={0}config.ldif'
-rw-------. 1 ldap ldap  412 Jun 15 23:00 'olcDatabase={-1}frontend.ldif'
-rw-------. 1 ldap ldap  562 Jun 15 23:00 'olcDatabase={1}monitor.ldif'
-rw-------. 1 ldap ldap  609 Jun 15 23:00 'olcDatabase={2}mdb.ldif'

[root@localhost operations]# ll /var/lib/| grep ldap
drwx------. 2 ldap    ldap    4096 Jun 19 00:30 ldap

[root@localhost operations]# ll /var/lib/ldap/
total 0
-rw-------. 1 ldap ldap 8192 Jun 19 00:30 lock.mdb

Any advice would be much appreciated.

Answer 1

It seems you're using back-mdb. Good.

Does your DB directory /var/lib/ldap/ really contain only file lock.mdb?

There should also be a bigger file called data.mdb with the actual data.