Step 1: I've done a new CentOS 7 installation;
Step 2: I've added symas repo following all steps described by https://repo.symas.com/sofl/rhel7/;
Step 3: I've made sure that I've erased any other openldap version before to install symas-openldap server and client;
yum erase openldap-clients openldap-serversyum -y updateyum install -y symas-openldap-clients symas-openldap-servers
Step 4: I haven't done any modification before to replace olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile;
Step 5: I've generated CA key, CA certificate, ldap key, ldap certificate and I've signed ldap certificate with CA:
echo 0001 > serial
touch index.txt
openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096
openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
openssl genrsa -aes256 -out /etc/pki/CA/private/ldap.local.key 4096
openssl req -new -key /etc/pki/CA/private/ldap.local.key -out /etc/pki/CA/certs/ldap.local.csr
openssl ca -keyfile /etc/pki/CA/private/ca.key.pem -cert /etc/pki/CA/certs/ca.cert.pem -in /etc/pki/CA/certs/ldap.local.csr -out /etc/pki/CA/certs/ldap.local.crt
Step 6: I've copy ldap.local.key, ldap.local.crt and ca.cert.pem to /etc/openldap/certs and change the owner group to ldap.
chown :ldap /etc/openldap/certs/ldap.local.keychown :ldap /etc/openldap/certs/ldap.local.crtchown :ldap /etc/openldap/certs/ca.cert.pem
Step 7: I've tried replace olcTLSCACertificateFile, olcTLSCertificateFile and olcTLSCertificateKeyFile with following ldif <tls.ldif>:
It hasn't mattered what I've done, when I've ran ldapmodify command, it has returned me the same error.dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.local.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.local.crt
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Howard and Quanah,I think I understand what you have said me, but I am not still understanding what the reason to my ldif doesn't work. Thankfully my environment is a test environment. I have other test environment that has a difference between the first: I modified the first environment database to mdb database while the second is default installation where database is hdb (default).
In the second environment, I can modify olcTLSCertificateFile, olcTLSCertificateKeyFile and olcTLSCACertificateFile normally.For modify the first environment:
- I stopped sladp service;
- I got olc configurations from slapcat -n 0 command like: slapcat -n 0 >> config.ldif;
- I added olcModuleLoad back_mdb on dn: cn=module{0},cn=config (I verified the olcModulePath and /usr/lib64;
- I modified on dn: olcDatabase={2}hdb,cn=config the following attributes:
- dn: olcDatabase={2}hdb,cn=config to dn: olcDatabase={2}mdb,cn=config
- objectClass: olcHdbConfig to objectClass: olcMdbConfig
- olcDatabase: {2}hdb to olcDatabase: {2}mdb
- structuralObjectClass: olcHdbConfig to structuralObjectClass: olcMdbConfig
- And finally, I ran this two command:
- cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
- chown -R /etc/openldap/slapd.d (to solve owner problem after run this command as root)
OBS: I've mounted environment on CentOS 7, added symas' repository and install from yum.Is possible I have done something wrong in convert process?--
Igor SousaEm qui, 11 de jul de 2019 às 22:56, Howard Chu <hyc@symas.com> escreveu:Quanah Gibson-Mount wrote:
> --On Thursday, July 11, 2019 5:29 PM -0300 Igor Sousa <igorvolt@gmail.com> wrote:
>
>> I've tested your suggestion and delete operation has worked fine, but
>> I've still had the same problem described previously when I've tried add
>> new olcTLSCertificateFile or new olcTLSCertificateKeyFile or new
>> olcTLSCACertificateFile. I don't understand the reason for that.
>
>>> You're likely hitting ITS#8286 with the replace operations. Another
> idea may be to change replace to a delete+add in the same operation sequence.
>
>
> <https://www.openldap.org/its/index.cgi/?findid=8286>
>
> The details in the ITS aren't as flushed out as they probably should be, but if a configuration element is missing an EQUALITY matching rule, then you generally
> cannot use a replace OP on them.
That's not correct. A replace op always works. It is only [Delete/Add] value that requires an equality rule.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/