"POISSON Frédéric" wrote:

Hello all,

Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations.

First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER;

Now when i only add or replace only attribute olcTLSRandFile on cn=config i have :

ldap_modify: Server is unwilling to perform (53)

When i replace following values in this order with 4 actions/operations or with a single action/operation it works :

dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem

replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem

replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem

replace: olcTLSRandFile olcTLSRandFile: /dev/random

But it don't works with only olcTLSRandfile if i do an add or replace first, why ?

What do you need for investigation ?

There's nothing to investigate, this works as designed. The config engine requires your TLS configuration to be valid when you configure it. That means at a minimum you must configure a server cert and key. If you only configure the randfile and nothing else, the config is rejected.