Re: Error when try modify olcTLS*

Hi Howard,

Howard Chu wrote:

^^ shouldn't this also be replace: ?

By default, the Openldap-Servers-Symas (or openldap-servers from default repository) doesn't have olcTLSCACertificateFile entry. Due to this, I've used add operation instead of replace.

I've tried to set this entries in the cn=config following the commands below:

systemctl stop slapd slapcat -n 0 >> config.ldif rm -rf /etc/openldap/slapd.d/* cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0 chown ldap:ldap -R /etc/openldap/slapd.d

I've got to set this entries, but slapd hasn't started and when I've checked systemctl status slapd, I've seen as the slapd hasn't got to read key file. I've checked again and ldap user has had privilegies to read all entires has set in *olcTLSCACertificateFile*, *olcTLSCertificateFile *and *olcTLSCertificateKeyFile.*

[root@localhost ~]# systemctl status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2019-07-18 11:55:29 -03; 2h 5min ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 2133 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE) Process: 2120 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 1928 (code=exited, status=0/SUCCESS)

Jul 18 11:55:29 localhost.localdomain runuser[2123]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jul 18 11:55:29 localhost.localdomain slapd[2133]: @(#) $OpenLDAP: slapd 2.4.47 (Mar 11 2019 17:22:04) $ build@c7rpm :/home/build/git/rheldap/RHEL7_x86_64/BUILD...lapd Jul 18 11:55:29 localhost.localdomain slapd[2133]: main: TLS init def ctx failed: -1 Jul 18 11:55:29 localhost.localdomain slapd[2133]: Enter PEM pass phrase: Jul 18 11:55:29 localhost.localdomain slapd[2133]: slapd stopped. Jul 18 11:55:29 localhost.localdomain slapd[2133]: connections_destroy: nothing to destroy. Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service: control process exited, code=exited status=1 Jul 18 11:55:29 localhost.localdomain systemd[1]: Failed to start OpenLDAP Server Daemon. Jul 18 11:55:29 localhost.localdomain systemd[1]: Unit slapd.service entered failed state. Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service failed.

-----

[root@localhost ~]# ls /etc/openldap/certs -l total 100 -rw-r--r--. 1 root ldap 2078 Jul 18 10:47 ca.cert.pem -rw-r--r--. 1 root root 65536 Jul 15 15:16 cert8.db -rw-r--r--. 1 root root 16384 Jul 15 15:16 key3.db -rw-r--r--. 1 root ldap 3326 Jul 18 10:47 ldap.key.pem -rw-r--r--. 1 root ldap 1732 Jul 18 10:47 ldap.local.csr -rw-r--r--. 1 root ldap 2102 Jul 18 11:55 ldap.local.pem -r--r-----. 1 root ldap 45 Jun 21 16:09 password -rw-r--r--. 1 root root 16384 Jun 21 16:09 secmod.db

OBS: I've changed *olcTLSCACertificateFile*, *olcTLSCertificateFile *and *olcTLSCertificateKeyFile *files to ca.cert.pem, ldap.local.pem and ldap.key.pem respectively.

I've started thinking to test it on a Debian system aiming it works better. I don't have any idea about it.

-- Igor Sousa