> On Oct 19, 2022, at 1:34 PM, Quanah Gibson-Mount <[email protected]> wrote:
>
>
>
> --On Wednesday, October 19, 2022 2:25 PM -0400 Timothy Stonis
> <[email protected]> wrote:
>
>
>> Thanks for the suggestion. Prior, I tried using slapmodify to make the
>> change, but I got the message the database was not writeable even running
>> as root. Is there an ACL I need to set on cn=config to get slapmodify to
>> work? It's linked against openssl 1.1.
>
> slapmodify is an offline command so no ACLs would apply. What was your exact
> slapmodify command?
>
This is what I tried:
sudo slapmodify -F /var/openldap/openldap-data/ -q -l [LDIF file]
The ldif file had:
dn: cn=config
changetype: modify
delete: olcTLSCertificateFile
-
delete: olcTLSCertificateKeyFile
-
The error was: "Available database(s) do not allow slapmodify"
>> Okay, I got the info they could be used directly from: "For TLS, under
>> 2.4 the filesystem location of the keys and certificates were stored in
>> cn=config; as of 2.5, the keys and certificates themselves can be stored
>> inside the database." In this article:
>>
>>
>>
>> https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap
>> -2-5
>
> I checked with Howard, this was apparently implemented at the same time as
> slapo-autoca, but the docs on how to do this appear to be missing, will see
> if an issue needs to be raised for a doc update.
>
>
> Regards,
> Quanah
