Hello all,
Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations.
First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER;
Now when i only add or replace only attribute olcTLSRandFile on cn=config i have :
ldap_modify: Server is unwilling to perform (53)
When i replace following values in this order with 4 actions/operations or with a single action/operation it works :
dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem - replace: olcTLSRandFile olcTLSRandFile: /dev/random
But it don't works with only olcTLSRandfile if i do an add or replace first, why ?
What do you need for investigation ?
Regards, PS: Sorry this is my second post for a better reading... --
Frederic Poisson
"POISSON Frédéric" wrote:
Hello all,
Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations.
First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER;
Now when i only add or replace only attribute olcTLSRandFile on cn=config i have :
ldap_modify: Server is unwilling to perform (53)
When i replace following values in this order with 4 actions/operations or with a single action/operation it works :
dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem
replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem
replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem
replace: olcTLSRandFile olcTLSRandFile: /dev/random
But it don't works with only olcTLSRandfile if i do an add or replace first, why ?
What do you need for investigation ?
There's nothing to investigate, this works as designed. The config engine requires your TLS configuration to be valid when you configure it. That means at a minimum you must configure a server cert and key. If you only configure the randfile and nothing else, the config is rejected.
openldap-technical@openldap.org