I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
using a modified ldif file for the replace:
dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.
The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.
I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.
I also found a tech note at CentOS:
https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Re...
in section 2.2.2.2 that indicates changes to cn=config will be ignored:
"If an attribute is added to cn=config, the server ignores it."
So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.
Robert