Hi,
I am trying to setup an OpenLDAP 2.6.3 server and I’d like to only use olc configuration (no slapd.conf file). So far things are going okay, but I’m having a problem with TLS configuration. I am able to enable TLS using a self-signed certificate without any problem, however, if I try to disable TLS using the following LDIF:
dn: cn=config changetype: modify delete: olcTLSCertificateFile - delete: olcTLSCertificateKeyFile -
I get the following error:
modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53)
I enabled debugging and cannot seem to see the error. I have also tried reordering the entries, doing one at a time, disabling ldaps:// binding, etc but nothing seems to work. If I just remove the certificate and/or key files, then the server does not start. Is enabling TLS a one way street? Or, should I just use slapd.conf?
As a second question, I read in an article online that there is a way to store the TLS cert(s) and key in the LDAP database itself. However, I cannot find any info on that in the documentation. Can anyone shed some light on that?
Thank you in advance!
Tim
--On Wednesday, October 19, 2022 1:24 PM -0400 Timothy Stonis tim@stonis.com wrote:
Hi,
I am trying to setup an OpenLDAP 2.6.3 server and I'd like to only use olc configuration (no slapd.conf file). So far things are going okay, but I'm having a problem with TLS configuration. I am able to enable TLS using a self-signed certificate without any problem, however, if I try to disable TLS using the following LDIF:
dn: cn=config changetype: modify delete: olcTLSCertificateFile
delete: olcTLSCertificateKeyFile
I get the following error:
modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53)
I enabled debugging and cannot seem to see the error. I have also tried reordering the entries, doing one at a time, disabling ldaps:// binding, etc but nothing seems to work. If I just remove the certificate and/or key files, then the server does not start. Is enabling TLS a one way street? Or, should I just use slapd.conf?
You could slapcat -n 0 -l config.ldif, remove the offending lines, and then use slapadd to re-import the configuration. What underlying TLS library is the server linked to?
As a second question, I read in an article online that there is a way to store the TLS cert(s) and key in the LDAP database itself. However, I cannot find any info on that in the documentation. Can anyone shed some light on that?
You can store TLS certificates in LDAP, but that would not be the same as slapd using those certificates for its own operation. You can also look at the slapo-autoca overlay on how to use OpenLDAP as a centralized CA.
Regards, Quanah
On Oct 19, 2022, at 12:30 PM, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Wednesday, October 19, 2022 1:24 PM -0400 Timothy Stonis tim@stonis.com wrote:
Hi,
I am trying to setup an OpenLDAP 2.6.3 server and I'd like to only use olc configuration (no slapd.conf file). So far things are going okay, but I'm having a problem with TLS configuration. I am able to enable TLS using a self-signed certificate without any problem, however, if I try to disable TLS using the following LDIF:
dn: cn=config changetype: modify delete: olcTLSCertificateFile
delete: olcTLSCertificateKeyFile
I get the following error:
modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53)
I enabled debugging and cannot seem to see the error. I have also tried reordering the entries, doing one at a time, disabling ldaps:// binding, etc but nothing seems to work. If I just remove the certificate and/or key files, then the server does not start. Is enabling TLS a one way street? Or, should I just use slapd.conf?
You could slapcat -n 0 -l config.ldif, remove the offending lines, and then use slapadd to re-import the configuration. What underlying TLS library is the server linked to?
Thanks for the suggestion. Prior, I tried using slapmodify to make the change, but I got the message the database was not writeable even running as root. Is there an ACL I need to set on cn=config to get slapmodify to work? It's linked against openssl 1.1.
As a second question, I read in an article online that there is a way to store the TLS cert(s) and key in the LDAP database itself. However, I cannot find any info on that in the documentation. Can anyone shed some light on that?
You can store TLS certificates in LDAP, but that would not be the same as slapd using those certificates for its own operation. You can also look at the slapo-autoca overlay on how to use OpenLDAP as a centralized CA.
Okay, I got the info they could be used directly from: "For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database.” In this article:
https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-... https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap-2-5
Regards, Quanah
--On Wednesday, October 19, 2022 2:25 PM -0400 Timothy Stonis tim@stonis.com wrote:
Thanks for the suggestion. Prior, I tried using slapmodify to make the change, but I got the message the database was not writeable even running as root. Is there an ACL I need to set on cn=config to get slapmodify to work? It's linked against openssl 1.1.
slapmodify is an offline command so no ACLs would apply. What was your exact slapmodify command?
Okay, I got the info they could be used directly from: "For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database." In this article:
https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap -2-5
I checked with Howard, this was apparently implemented at the same time as slapo-autoca, but the docs on how to do this appear to be missing, will see if an issue needs to be raised for a doc update.
Regards, Quanah
--On Wednesday, October 19, 2022 11:34 AM -0700 Quanah Gibson-Mount quanah@fast-mail.org wrote:
I checked with Howard, this was apparently implemented at the same time as slapo-autoca, but the docs on how to do this appear to be missing, will see if an issue needs to be raised for a doc update.
Filed https://bugs.openldap.org/show_bug.cgi?id=9934
Thanks for bringing this to our attention!
Regards, Quanah
On Oct 19, 2022, at 1:34 PM, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Wednesday, October 19, 2022 2:25 PM -0400 Timothy Stonis tim@stonis.com wrote:
Thanks for the suggestion. Prior, I tried using slapmodify to make the change, but I got the message the database was not writeable even running as root. Is there an ACL I need to set on cn=config to get slapmodify to work? It's linked against openssl 1.1.
slapmodify is an offline command so no ACLs would apply. What was your exact slapmodify command?
This is what I tried:
sudo slapmodify -F /var/openldap/openldap-data/ -q -l [LDIF file]
The ldif file had:
dn: cn=config changetype: modify delete: olcTLSCertificateFile - delete: olcTLSCertificateKeyFile -
The error was: "Available database(s) do not allow slapmodify"
Okay, I got the info they could be used directly from: "For TLS, under 2.4 the filesystem location of the keys and certificates were stored in cn=config; as of 2.5, the keys and certificates themselves can be stored inside the database." In this article:
https://www.symas.com/post/howard-chu-shares-what-to-expect-with-openldap -2-5
I checked with Howard, this was apparently implemented at the same time as slapo-autoca, but the docs on how to do this appear to be missing, will see if an issue needs to be raised for a doc update.
Regards, Quanah
--On Wednesday, October 19, 2022 2:46 PM -0400 Timothy Stonis tim@stonis.com wrote:
This is what I tried:
sudo slapmodify -F /var/openldap/openldap-data/ -q -l [LDIF file]
The ldif file had:
dn: cn=config changetype: modify delete: olcTLSCertificateFile
delete: olcTLSCertificateKeyFile
The error was: "Available database(s) do not allow slapmodify"
Ok, I would suggest trying the following:
sudo slapmodify -F /var/openldap/openldap-data/ -n 0 -l mod.ldif
(or whatever for the filename)
so taht the database to be modified is explicitly called out (in this case, cn=config). This is usually necessary for cn=config based operations.
Regards, Quanah
On Oct 19, 2022, at 2:48 PM, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Wednesday, October 19, 2022 2:46 PM -0400 Timothy Stonis tim@stonis.com wrote:
This is what I tried:
sudo slapmodify -F /var/openldap/openldap-data/ -q -l [LDIF file]
The ldif file had:
dn: cn=config changetype: modify delete: olcTLSCertificateFile
delete: olcTLSCertificateKeyFile
The error was: "Available database(s) do not allow slapmodify"
Ok, I would suggest trying the following:
sudo slapmodify -F /var/openldap/openldap-data/ -n 0 -l mod.ldif
I finally had time to try this, and it works. Thank you for the help and suggestion!
Tim
(or whatever for the filename)
so taht the database to be modified is explicitly called out (in this case, cn=config). This is usually necessary for cn=config based operations.
Regards, Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Timothy Stonis