Hi everybody, I've had some test aiming to understand why when I try to add/replace *olcTLSCACertificateFile*, *olcTLSCertificateFile* and *olcTLSCertificateKeyFile* the ldapmodify command returns "ldap_modify: Other (e.g., implementation specific) error (80)". Then, to remove all other variables, I've done a new simple installation:
*Step 1:* I've done a new CentOS 7 installation; *Step 2:* I've added symas repo following all steps described by https://repo.symas.com/sofl/rhel7/; *Step 3: *I've made sure that I've erased any other openldap version before to install symas-openldap server and client; yum erase openldap-clients openldap-servers yum -y update yum install -y symas-openldap-clients symas-openldap-servers *Step 4:* I haven't done any modification before to replace olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile; *Step 5: *I've generated CA key, CA certificate, ldap key, ldap certificate and I've signed ldap certificate with CA: echo 0001 > serial touch index.txt openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem openssl genrsa -aes256 -out /etc/pki/CA/private/ldap.local.key 4096 openssl req -new -key /etc/pki/CA/private/ldap.local.key -out /etc/pki/CA/certs/ldap.local.csr openssl ca -keyfile /etc/pki/CA/private/ca.key.pem -cert /etc/pki/CA/certs/ca.cert.pem -in /etc/pki/CA/certs/ldap.local.csr -out /etc/pki/CA/certs/ldap.local.crt *Step 6: *I've copy ldap.local.key, ldap.local.crt and ca.cert.pem to /etc/openldap/certs and change the owner group to *ldap*. chown :ldap /etc/openldap/certs/ldap.local.key chown :ldap /etc/openldap/certs/ldap.local.crt chown :ldap /etc/openldap/certs/ca.cert.pem *Step 7:* I've tried replace *olcTLSCACertificateFile*, *olcTLSCertificateFile *and *olcTLSCertificateKeyFile *with following ldif <tls.ldif>: dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.local.key - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap.local.crt - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem It hasn't mattered what I've done, when I've ran ldapmodify command, it has returned me the same error. [root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) I can change olcSuffix, change olcRootDN, change olcRootPW and I do other modification by ldif+ldapmodify normally. Simply I don't understand what it is wrong in this ldif and appreciate your help. -- Igor Sousa Em sex, 12 de jul de 2019 às 09:30, Igor Sousa <[email protected]> escreveu: > Howard and Quanah, > > I think I understand what you have said me, but I am not still > understanding what the reason to my ldif doesn't work. Thankfully my > environment is a test environment. I have other test environment that has a > difference between the first: I modified the first environment database to > mdb database while the second is default installation where database is hdb > (default). > > In the second environment, I can modify olcTLSCertificateFile, > olcTLSCertificateKeyFile and olcTLSCACertificateFile normally. > For modify the first environment: > > 1. I stopped sladp service; > 2. I got olc configurations from slapcat -n 0 command like: slapcat -n > 0 >> config.ldif; > 3. I added olcModuleLoad back_mdb on dn: cn=module{0},cn=config (I > verified the olcModulePath and /usr/lib64; > 4. I modified on dn: olcDatabase={2}hdb,cn=config the following > attributes: > - dn: olcDatabase={2}hdb,cn=config to dn: > olcDatabase={2}mdb,cn=config > - objectClass: olcHdbConfig to objectClass: olcMdbConfig > - olcDatabase: {2}hdb to olcDatabase: {2}mdb > - structuralObjectClass: olcHdbConfig to structuralObjectClass: > olcMdbConfig > - And finally, I ran this two command: > - cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0 > - chown -R /etc/openldap/slapd.d (to solve owner problem after > run this command as root) > > OBS: I've mounted environment on CentOS 7, added symas' repository and > install from yum. > > Is possible I have done something wrong in convert process? > > -- > Igor Sousa > > > Em qui, 11 de jul de 2019 às 22:56, Howard Chu <[email protected]> escreveu: > >> Quanah Gibson-Mount wrote: >> > --On Thursday, July 11, 2019 5:29 PM -0300 Igor Sousa < >> [email protected]> wrote: >> > >> >> I've tested your suggestion and delete operation has worked fine, but >> >> I've still had the same problem described previously when I've tried >> add >> >> new olcTLSCertificateFile or new olcTLSCertificateKeyFile or new >> >> olcTLSCACertificateFile. I don't understand the reason for that. >> > >> >>> You're likely hitting ITS#8286 with the replace operations. Another >> > idea may be to change replace to a delete+add in the same operation >> sequence. >> > >> > >> > <https://www.openldap.org/its/index.cgi/?findid=8286> >> > >> > The details in the ITS aren't as flushed out as they probably should >> be, but if a configuration element is missing an EQUALITY matching rule, >> then you generally >> > cannot use a replace OP on them. >> >> That's not correct. A replace op always works. It is only [Delete/Add] >> value that requires an equality rule. >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> >
