> On Oct 19, 2022, at 12:30 PM, Quanah Gibson-Mount <[email protected]> > wrote: > > > > --On Wednesday, October 19, 2022 1:24 PM -0400 Timothy Stonis > <[email protected]> wrote: > >> Hi, >> >> I am trying to setup an OpenLDAP 2.6.3 server and I'd like to only use >> olc configuration (no slapd.conf file). So far things are going okay, but >> I'm having a problem with TLS configuration. I am able to enable TLS >> using a self-signed certificate without any problem, however, if I try to >> disable TLS using the following LDIF: >> >> dn: cn=config >> changetype: modify >> delete: olcTLSCertificateFile >> - >> delete: olcTLSCertificateKeyFile >> - >> >> I get the following error: >> >> modifying entry "cn=config" >> ldap_modify: Server is unwilling to perform (53) >> >> I enabled debugging and cannot seem to see the error. I have also tried >> reordering the entries, doing one at a time, disabling ldaps:// binding, >> etc but nothing seems to work. If I just remove the certificate and/or >> key files, then the server does not start. Is enabling TLS a one way >> street? Or, should I just use slapd.conf? > > You could slapcat -n 0 -l config.ldif, remove the offending lines, and then > use slapadd to re-import the configuration. What underlying TLS library is > the server linked to?
Thanks for the suggestion. Prior, I tried using slapmodify to make the change, but I got the message the database was not writeable even running as root. Is there an ACL I need to set on cn=config to get slapmodify to work? It's linked against openssl 1.1. > >> As a second question, I read in an article online that there is a way to >> store the TLS cert(s) and key in the LDAP database itself. However, I >> cannot find any info on that in the documentation. Can anyone shed some >> light on that? > > You can store TLS certificates in LDAP, but that would not be the same as > slapd using those certificates for its own operation. You can also look at > the slapo-autoca overlay on how to use OpenLDAP as a centralized CA. > Okay, I got the info they could be used directly from: "For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database.” In this article: https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-5 <https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-5> > Regards, > Quanah >
