Recently I upgraded my Ubuntu Server 8.04 to 8.10 and had to reconfigure OpenLDAP (installed by apt-get) through slapd backend database (I used slapd.config before). I have reconfigured OpenLDAP by "sudo dpkg-reconfigure slapd" and confirmed all prior settings, however the old database was moved to /var/backup/ and a fresh one was generated (please see config tree at the end).
The problem is, I get following error message..: ldap_modify: Object class violation (65) additional info: attribute 'olcTLSCACertificateFile' not allowed
(even olcTLSCertificateFile, if I leave out olcTLSCACertificateFile... olcTLS* seems "not allowed")
..when I try to configure TLS by ldapmodify: ldapmodify -D cn=admin,cn=config -W -x
by entering this:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/servercert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/serverkey.pem
The config tree is as follows (I will change "mydomain" and ACL later): dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mydomain,dc=org olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mydomain,dc=org" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=org" write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq
Here's my "sudo apt-cache show slapd" packet information: Package: slapd Priority: optional Section: net Installed-Size: 3872 Maintainer: Ubuntu Core Developers ubuntu-devel-discuss@lists.ubuntu.com Original-Maintainer: Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Architecture: i386 Source: openldap Version: 2.4.11-0ubuntu6 Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-utils (<< 2.2.23-3), libldap2 Provides: ldap-server, libslapi-2.4-2 Depends: libc6 (>= 2.4), libdb4.2, libgcrypt11 (>= 1.4.0), libgnutls26 (>= 2.4.0-0), libldap-2.4-2 (= 2.4.11-0ubuntu6), libltdl7 (>= 2.2.4), libperl5.10 (>= 5.10.0), libsasl2-2, libslp1, libtasn1-3 (>= 0.3.4), libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11-1), zlib1g (>= 1:1.1.4), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser Pre-Depends: debconf (>= 0.5) | debconf-2.0 Recommends: libsasl2-modules, apparmor (>= 2.1+1075-0ubuntu6) Suggests: ldap-utils Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd Filename: pool/main/o/openldap/slapd_2.4.11-0ubuntu6_i386.deb Size: 1466528 MD5sum: 41047db9f250c0e73e2e3c43c5d90f5a SHA1: 4c23c98d55851fef7ec4ff5e4fa8d7cd1c885da9 SHA256: 107e5df3dea5a0571a2f99df1d7c919247a4223a991a99e8393b0915e39f1fc9 Description-de: OpenLDAP-Server (slapd) This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service. Homepage: http://www.openldap.org/ Bugs: mailto:ubuntu-users@lists.ubuntu.com Origin: Ubuntu
(libgnutls26 is of version: 2.4.1-1build1) Can someone help me with this "Object class violation (65)" problem concerning TLS?
Belem