Hi everyone, On Ubuntu 20.04 slapd 2.4.49+dfsg-1ubuntu1 with /etc/ldap/tls.ldif: -------------------------- dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/domain.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem - All files are readable by openldap user. - domain.crt is in pem format - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem + letsencryptauthorityx3.pem -------------------------- Yet, if I run: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif I get in the logs: -------------------------- daemon: read active on 12 daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor conn=1001 op=1 MOD dn="cn=config" daemon: activity on: conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSCACertificateFile => access_allowed: result not in cache (olcTLSCertificateFile) => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested daemon: epoll: listen=8 active_threads=0 tvp=zero => acl_get: [1] attr olcTLSCertificateFile daemon: epoll: listen=9 active_threads=0 tvp=zero => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested daemon: epoll: listen=10 active_threads=0 tvp=zero => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) => access_allowed: result not in cache (olcTLSCertificateKeyFile) => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested => acl_get: [1] attr olcTLSCertificateKeyFile => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) => access_allowed: result not in cache (olcTLSCACertificateFile) => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested => acl_get: [1] attr olcTLSCACertificateFile => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= acl_mask: [1] applying manage(=mwrscxd) (stop) <= acl_mask: [1] mask: manage(=mwrscxd) => slap_access_allowed: add access granted by manage(=mwrscxd) => access_allowed: add access granted by manage(=mwrscxd) conn=1001 op=1 RESULT tag=103 err=80 text= daemon: activity on 1 descriptor daemon: activity on: 12r -------------------------- What is going on? My logging attributes are: conns filter config acl stats stats2 shell parse Is there a way to get more explicit logging? - Jean-Christophe