Hi, In your ssl.ldif file there is a *blank* line too after changetype: modify This is not reported in your first post but it apear in seconde one. I have reproduced the same symptoms with this empty line
More details bellow Cheers. Le 29/04/2015 12:56, Robert Munn a écrit :
My replies inline...On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB <[email protected] <mailto:[email protected]>> wrote:Hi, Le 25/04/2015 15:10, Robert Munn a écrit :I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.I followed directions on the Ubuntu wiki: https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls using a modified ldif file for the replace: |dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem||All right|
Empty line is not reported here.
But we show it here, and content changes (strangely) the cn=config.ldif last modified timestamp, but do nothing realyWhen it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.May be you've missed some settings at build time like --with-tlsI installed OpenLDAP using apt. The .deb package must include TLS because I added the certificates manually.No error message like "Insufficient access (50)" ? and you should check the write (manage)rights to cn=config database.The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.The command I ran (as sudo) and the message: ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config” and ssl.ldif : dn: cn=config changetype:modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/CAcert - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/cert - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cert.key
cn=config.ldif is being modified by the ldapmodify process, I verified that by changing file permissions on cn=config.ldif, running the ldapmodify command, and then checking cn=config.ldif. ldapmodify updated the timestamp and file permissions on the file. The file changed, but the configuration changes in ssl.ldif were not made in cn=config.ldif.I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.Bad practice, it's best to avoid.Yes, and when I can modify the configuration using ldapmodify, I will no longer make the changes manually.I found a note about enabling logging using ldapmodify: https://help.ubuntu.com/lts/serverguide/openldap-server.html logging.ldif: dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldifI executed this command on my first instance and it added the logging to cn=config. I executed this command on the second instance, where olcLogLevel already existed, and it did not alter the log level.I have also been experimenting with this script: https://github.com/cepharum/slapd-config With it, I was able to delete the TLS entries from cn=config: slapd-config raw delete cn=config olcTLSCACertificateFile 1 but when I tried to add the entries back, I got this error:slapd-config raw insert cn=config olcTLSCACertificateFile 1 "/etc/ssl/certs/cert.pem"modifying entry "" ldap_modify: Server is unwilling to perform (53) additional info: modify upon the root DSE not supported
I have not looked at the details but it seems that there is a bug in this script. (modifying entry "")
I was able to change the olcLogLevel back to its original state vi ldapmodify, so maybe there is something particular about the TLS entries, perhaps having to do with permissions on the certs and keys themselves?I have come across this bug in several forums and have yet to see someone who solved it in the “correct” manner using ldapmodify.RobertI also found a tech note at CentOS: https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Accessing_and_Modifying_Server_Configuration.html in section 2.2.2.2 that indicates changes to cn=config will be ignored: "If an attribute is added to |cn=config|, the server ignores it."So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.RobertCheers, -- *Abdelhamid MEDDEB* http://www.meddeb.net
-- *Abdelhamid Meddeb* http://www.meddeb.net
smime.p7s
Description: Signature cryptographique S/MIME
