Hi Howard,

Howard Chu wrote:

 ^^ shouldn't this also be replace: ?

By default, the Openldap-Servers-Symas (or openldap-servers from default repository) doesn't have olcTLSCACertificateFile entry. Due to this, I've used add operation instead of replace. 

I've tried to set this entries in the cn=config following the commands below:
systemctl stop slapd
slapcat -n 0 >> config.ldif
rm -rf /etc/openldap/slapd.d/*
cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
chown ldap:ldap -R /etc/openldap/slapd.d

I've got to set this entries, but slapd hasn't started and when I've checked systemctl status slapd, I've seen as the slapd hasn't got to read key file. I've checked again and ldap user has had privilegies to read all entires has set in olcTLSCACertificateFileolcTLSCertificateFile and olcTLSCertificateKeyFile.

[root@localhost ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-07-18 11:55:29 -03; 2h 5min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 2133 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 2120 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 1928 (code=exited, status=0/SUCCESS)

Jul 18 11:55:29 localhost.localdomain runuser[2123]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 18 11:55:29 localhost.localdomain slapd[2133]: @(#) $OpenLDAP: slapd 2.4.47 (Mar 11 2019 17:22:04) $
                                                           build@c7rpm:/home/build/git/rheldap/RHEL7_x86_64/BUILD...lapd
Jul 18 11:55:29 localhost.localdomain slapd[2133]: main: TLS init def ctx failed: -1
Jul 18 11:55:29 localhost.localdomain slapd[2133]: Enter PEM pass phrase:
Jul 18 11:55:29 localhost.localdomain slapd[2133]: slapd stopped.
Jul 18 11:55:29 localhost.localdomain slapd[2133]: connections_destroy: nothing to destroy.
Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service: control process exited, code=exited status=1
Jul 18 11:55:29 localhost.localdomain systemd[1]: Failed to start OpenLDAP Server Daemon.
Jul 18 11:55:29 localhost.localdomain systemd[1]: Unit slapd.service entered failed state.
Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service failed.

-----

[root@localhost ~]# ls /etc/openldap/certs -l
total 100
-rw-r--r--. 1 root ldap  2078 Jul 18 10:47 ca.cert.pem
-rw-r--r--. 1 root root 65536 Jul 15 15:16 cert8.db
-rw-r--r--. 1 root root 16384 Jul 15 15:16 key3.db
-rw-r--r--. 1 root ldap  3326 Jul 18 10:47 ldap.key.pem
-rw-r--r--. 1 root ldap  1732 Jul 18 10:47 ldap.local.csr
-rw-r--r--. 1 root ldap  2102 Jul 18 11:55 ldap.local.pem
-r--r-----. 1 root ldap    45 Jun 21 16:09 password
-rw-r--r--. 1 root root 16384 Jun 21 16:09 secmod.db

OBS: I've changed olcTLSCACertificateFileolcTLSCertificateFile and olcTLSCertificateKeyFile files to ca.cert.pem, ldap.local.pem and ldap.key.pem respectively.

I've started thinking to test it on a Debian system aiming it works better. I don't have any idea about it.

--
Igor Sousa