On Oct 19, 2022, at 12:30 PM, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Wednesday, October 19, 2022 1:24 PM -0400 Timothy Stonis tim@stonis.com wrote:
Hi,
I am trying to setup an OpenLDAP 2.6.3 server and I'd like to only use olc configuration (no slapd.conf file). So far things are going okay, but I'm having a problem with TLS configuration. I am able to enable TLS using a self-signed certificate without any problem, however, if I try to disable TLS using the following LDIF:
dn: cn=config changetype: modify delete: olcTLSCertificateFile
delete: olcTLSCertificateKeyFile
I get the following error:
modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53)
I enabled debugging and cannot seem to see the error. I have also tried reordering the entries, doing one at a time, disabling ldaps:// binding, etc but nothing seems to work. If I just remove the certificate and/or key files, then the server does not start. Is enabling TLS a one way street? Or, should I just use slapd.conf?
You could slapcat -n 0 -l config.ldif, remove the offending lines, and then use slapadd to re-import the configuration. What underlying TLS library is the server linked to?
Thanks for the suggestion. Prior, I tried using slapmodify to make the change, but I got the message the database was not writeable even running as root. Is there an ACL I need to set on cn=config to get slapmodify to work? It's linked against openssl 1.1.
As a second question, I read in an article online that there is a way to store the TLS cert(s) and key in the LDAP database itself. However, I cannot find any info on that in the documentation. Can anyone shed some light on that?
You can store TLS certificates in LDAP, but that would not be the same as slapd using those certificates for its own operation. You can also look at the slapo-autoca overlay on how to use OpenLDAP as a centralized CA.
Okay, I got the info they could be used directly from: "For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database.” In this article:
https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-... https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-5
Regards, Quanah