I have not mentioned that my let's encrypt certificate is not SAN but wildcard.
On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot actionmystique@gmail.com wrote:
Hi everyone,
On Ubuntu 20.04 slapd 2.4.49+dfsg-1ubuntu1 with /etc/ldap/tls.ldif:
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/domain.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted
add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem
- All files are readable by openldap user.
- domain.crt is in pem format
- letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem +
letsencryptauthorityx3.pem
Yet, if I run: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif
I get in the logs:
daemon: read active on 12 daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor conn=1001 op=1 MOD dn="cn=config" daemon: activity on: conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSCACertificateFile
=> access_allowed: result not in cache (olcTLSCertificateFile) => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested daemon: epoll: listen=8 active_threads=0 tvp=zero => acl_get: [1] attr olcTLSCertificateFile daemon: epoll: listen=9 active_threads=0 tvp=zero => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested daemon: epoll: listen=10 active_threads=0 tvp=zero => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) => access_allowed: result not in cache (olcTLSCertificateKeyFile) => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested => acl_get: [1] attr olcTLSCertificateKeyFile => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) => access_allowed: result not in cache (olcTLSCACertificateFile) => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested => acl_get: [1] attr olcTLSCACertificateFile => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) conn=1001 op=1 RESULT tag=103 err=80 text= daemon: activity on 1 descriptor daemon: activity on: 12r
What is going on? My logging attributes are: conns filter config acl stats stats2 shell parse Is there a way to get more explicit logging?
Jean-Christophe