On Oct 19, 2022, at 12:30 PM, Quanah Gibson-Mount <quanah@fast-mail.org> wrote:

--On Wednesday, October 19, 2022 1:24 PM -0400 Timothy Stonis <tim@stonis.com> wrote:

Hi,

I am trying to setup an OpenLDAP 2.6.3 server and I'd like to only use
olc configuration (no slapd.conf file). So far things are going okay, but
I'm having a problem with TLS configuration. I am able to enable TLS
using a self-signed certificate without any problem, however, if I try to
disable TLS using the following LDIF:

dn: cn=config
changetype: modify
delete: olcTLSCertificateFile
-
delete: olcTLSCertificateKeyFile
-

I get the following error:

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

I enabled debugging and cannot seem to see the error. I have also tried
reordering the entries, doing one at a time, disabling ldaps:// binding,
etc but nothing seems to work. If I just remove the certificate and/or
key files, then the server does not start. Is enabling TLS a one way
street? Or, should I just use slapd.conf?

You could slapcat -n 0 -l config.ldif, remove the offending lines, and then use slapadd to re-import the configuration.  What underlying TLS library is the server linked to?

As a second question, I read in an article online that there is a way to
store the TLS cert(s) and key in the LDAP database itself. However, I
cannot find any info on that in the documentation. Can anyone shed some
light on that?

You can store TLS certificates in LDAP, but that would not be the same as slapd using those certificates for its own operation.  You can also look at the slapo-autoca overlay on how to use OpenLDAP as a centralized CA.

Regards,
Quanah