Re: Error when try modify olcTLS*

Igor Sousa Thu, 18 Jul 2019 12:04:08 -0700

Hi Howard,

Howard Chu wrote:


>
>  ^^ shouldn't this also be replace: ?
>

By default, the Openldap-Servers-Symas (or openldap-servers from default
repository) doesn't have olcTLSCACertificateFile entry. Due to this, I've
used add operation instead of replace.

I've tried to set this entries in the cn=config following the commands
below:

systemctl stop slapd
slapcat -n 0 >> config.ldif
rm -rf /etc/openldap/slapd.d/*
cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
chown ldap:ldap -R /etc/openldap/slapd.d


I've got to set this entries, but slapd hasn't started and when I've
checked systemctl status slapd, I've seen as the slapd hasn't got to read
key file. I've checked again and ldap user has had privilegies to read all
entires has set in *olcTLSCACertificateFile*, *olcTLSCertificateFile *and
*olcTLSCertificateKeyFile.*

[root@localhost ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-07-18 11:55:29 -03; 2h
5min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 2133 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS}
$SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 2120 ExecStartPre=/usr/libexec/openldap/check-config.sh
(code=exited, status=0/SUCCESS)
 Main PID: 1928 (code=exited, status=0/SUCCESS)

Jul 18 11:55:29 localhost.localdomain runuser[2123]:
pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 18 11:55:29 localhost.localdomain slapd[2133]: @(#) $OpenLDAP: slapd
2.4.47 (Mar 11 2019 17:22:04) $
                                                           build@c7rpm
:/home/build/git/rheldap/RHEL7_x86_64/BUILD...lapd
Jul 18 11:55:29 localhost.localdomain slapd[2133]: main: TLS init def ctx
failed: -1
Jul 18 11:55:29 localhost.localdomain slapd[2133]: Enter PEM pass phrase:
Jul 18 11:55:29 localhost.localdomain slapd[2133]: slapd stopped.
Jul 18 11:55:29 localhost.localdomain slapd[2133]: connections_destroy:
nothing to destroy.
Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service: control
process exited, code=exited status=1
Jul 18 11:55:29 localhost.localdomain systemd[1]: Failed to start OpenLDAP
Server Daemon.
Jul 18 11:55:29 localhost.localdomain systemd[1]: Unit slapd.service
entered failed state.
Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service failed.

-----

[root@localhost ~]# ls /etc/openldap/certs -l
total 100
-rw-r--r--. 1 root ldap  2078 Jul 18 10:47 ca.cert.pem
-rw-r--r--. 1 root root 65536 Jul 15 15:16 cert8.db
-rw-r--r--. 1 root root 16384 Jul 15 15:16 key3.db
-rw-r--r--. 1 root ldap  3326 Jul 18 10:47 ldap.key.pem
-rw-r--r--. 1 root ldap  1732 Jul 18 10:47 ldap.local.csr
-rw-r--r--. 1 root ldap  2102 Jul 18 11:55 ldap.local.pem
-r--r-----. 1 root ldap    45 Jun 21 16:09 password
-rw-r--r--. 1 root root 16384 Jun 21 16:09 secmod.db

OBS: I've changed *olcTLSCACertificateFile*, *olcTLSCertificateFile
*and *olcTLSCertificateKeyFile
*files to ca.cert.pem, ldap.local.pem and ldap.key.pem respectively.

I've started thinking to test it on a Debian system aiming it works better.
I don't have any idea about it.

--
Igor Sousa

Re: Error when try modify olcTLS*

Reply via email to