I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
using a modified ldif file for the replace:
dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.
The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.
I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.
I also found a tech note at CentOS:
https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Re...
in section 2.2.2.2 that indicates changes to cn=config will be ignored:
"If an attribute is added to cn=config, the server ignores it."
So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.
Robert
Hi,
Le 25/04/2015 15:10, Robert Munn a écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
using a modified ldif file for the replace:
|dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|
|All right|
When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.
May be you've missed some settings at build time like --with-tls
The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.
No error message like "Insufficient access (50)" ? and you should check the write (manage)rights to cn=config database.
I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.
Bad practice, it's best to avoid.
I also found a tech note at CentOS:
https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Re... in section 2.2.2.2 that indicates changes to cn=config will be ignored:
"If an attribute is added to |cn=config|, the server ignores it."
So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.
Robert
Cheers,
openldap-technical@openldap.org