Hi everybody,

I've had some test aiming to understand why when I try to add/replace olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile the ldapmodify command returns "ldap_modify: Other (e.g., implementation specific) error (80)". Then, to remove all other variables, I've done a new simple installation:
Step 1: I've done a new CentOS 7 installation;
Step 2: I've added symas repo following all steps described by https://repo.symas.com/sofl/rhel7/;
Step 3: I've made sure that I've erased any other openldap version before to install symas-openldap server and client;

yum erase openldap-clients openldap-servers
yum -y update
yum install -y symas-openldap-clients symas-openldap-servers

Step 4:
I haven't done any modification before to replace olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile;
Step 5: I've generated CA key, CA certificate, ldap key, ldap certificate and I've signed ldap certificate with CA:

echo 0001 > serial
touch index.txt
openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096
openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
openssl genrsa -aes256 -out /etc/pki/CA/private/ldap.local.key 4096
openssl req -new -key /etc/pki/CA/private/ldap.local.key -out /etc/pki/CA/certs/ldap.local.csr
openssl ca -keyfile /etc/pki/CA/private/ca.key.pem -cert /etc/pki/CA/certs/ca.cert.pem -in /etc/pki/CA/certs/ldap.local.csr -out /etc/pki/CA/certs/ldap.local.crt

Step 6: I've copy ldap.local.key, ldap.local.crt and ca.cert.pem to /etc/openldap/certs and change the owner group to ldap.
chown :ldap /etc/openldap/certs/ldap.local.key
chown :ldap /etc/openldap/certs/ldap.local.crt
chown :ldap /etc/openldap/certs/ca.cert.pem
Step 7: I've tried replace olcTLSCACertificateFileolcTLSCertificateFile and olcTLSCertificateKeyFile with following ldif <tls.ldif>:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.local.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.local.crt
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem

It hasn't mattered what I've done, when I've ran ldapmodify command, it has returned me the same error.

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

I can change olcSuffix, change olcRootDN, change olcRootPW and I do other modification by ldif+ldapmodify normally.

Simply I don't understand what it is wrong in this ldif and appreciate your help.

--
Igor Sousa


Em sex, 12 de jul de 2019 às 09:30, Igor Sousa <igorvolt@gmail.com> escreveu:
Howard and Quanah,

I think I understand what you have said me, but I am not still understanding what the reason to my ldif doesn't work. Thankfully my environment is a test environment. I have other test environment that has a difference between the first: I modified the first environment database to mdb database while the second is default installation where database is hdb (default).

In the second environment, I can modify olcTLSCertificateFile, olcTLSCertificateKeyFile and olcTLSCACertificateFile normally.
For modify the first environment:
  1. I stopped sladp service;
  2. I got olc configurations from slapcat -n 0 command like: slapcat -n 0 >> config.ldif;
  3. I added olcModuleLoad back_mdb on dn: cn=module{0},cn=config (I verified the olcModulePath and /usr/lib64;
  4. I modified on dn: olcDatabase={2}hdb,cn=config the following attributes:
    • dn: olcDatabase={2}hdb,cn=config to dn: olcDatabase={2}mdb,cn=config
    • objectClass: olcHdbConfig to objectClass: olcMdbConfig
    • olcDatabase: {2}hdb to olcDatabase: {2}mdb
    • structuralObjectClass: olcHdbConfig to structuralObjectClass: olcMdbConfig
    • And finally, I ran this two command:
      • cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
      • chown -R /etc/openldap/slapd.d (to solve owner problem after run this command as root)
OBS:  I've mounted environment on CentOS 7, added symas' repository and install from yum.

Is possible I have done something wrong in convert process?

--
Igor Sousa


Em qui, 11 de jul de 2019 às 22:56, Howard Chu <hyc@symas.com> escreveu:
Quanah Gibson-Mount wrote:
> --On Thursday, July 11, 2019 5:29 PM -0300 Igor Sousa <igorvolt@gmail.com> wrote:
>
>> I've tested your suggestion and delete operation has worked fine, but
>> I've still had the same problem described previously when I've tried add
>> new olcTLSCertificateFile or new olcTLSCertificateKeyFile or new
>> olcTLSCACertificateFile. I don't understand the reason for that.
>
>>> You're likely hitting ITS#8286  with the replace operations.  Another
> idea may be to change replace to a delete+add in the same operation sequence.
>
>
> <https://www.openldap.org/its/index.cgi/?findid=8286>
>
> The details in the ITS aren't as flushed out as they probably should be, but if a configuration element is missing an EQUALITY matching rule, then you generally
> cannot use a replace OP on them.

That's not correct. A replace op always works. It is only [Delete/Add] value that requires an equality rule.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/