(ITS#9019) NSSDB + OpenLDAP - openldap-bugs

7 May 2019


      Full_Name: Victor Angelier
Version: OpenLDAP: slapd 2.4.44
OS: CentOS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (78.78.44.170)
When using OpenLDAP with NSS DB in HA setup you can not change the TLS
certificate name through LDIF with ldapmodify.
The only way to update the TLS certificate name is by editing the cn=config.ldif
file with breaches the signature.
This is especially with HA setup a serious issue.
Reproduce. Install and setup OpenLDAP in HA (I have 2 nodes)
Configure it so that it uses NSS DB
cn=config.ldif
cat /etc/openldap/slapd.d/cn=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 13782a66
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSProtocolMin: 3.3
olcTLSCipherSuite: ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL:!SSLV3
olcTLSDHParamFile: /etc/openldap/ssl/dhparams
structuralObjectClass: olcGlobal
entryUUID: ef483c7c-da8d-1038-907a-df6f97fe6ec7
creatorsName: cn=config
createTimestamp: 20190314101611Z
olcTLSCACertificatePath: /etc/openldap/ssl
olcTLSCACertificateFile: /etc/pki/tls/certs/ca-bundle.crt
olcTLSCertificateFile: "Cyberdyne Security"
olcTLSCertificateKeyFile: /etc/openldap/ssl/password
olcTLSVerifyClient: allow
olcServerID: 1 ldaps://ldap-n1.cyberdynesecurity.ae
olcServerID: 2 ldaps://ldap-n2.cyberdynesecurity.ae
olcLogFile: /var/log/slapd.log
entryCSN: 20190507074650.989216Z#000000#001#000000
modifiersName: cn=Manager,dc=cyberdynesecurity,dc=ae
modifyTimestamp: 20190507074650Z
contextCSN: 20190507074650.989216Z#000000#001#000000
contextCSN: 20190402094130.452589Z#000000#002#000000
Now try change "olcTLSCertificateFile" through LDIF
vi change.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: "new certificate name"
ldapmodify -Y EXTERNAL -H ldapi:/// -f edit.ldif -v
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
replace olcTLSCertificateFile:
        "new certificate name"
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
If "olcTLSCertificateFile" is set to an existing file like /tmp/certificate.crt
it works fine.