Hi,
In your ssl.ldif file there is a *blank* line too after changetype: modify This is not reported in your first post but it apear in seconde one. I have reproduced the same symptoms with this empty line
More details bellow
Cheers.
Le 29/04/2015 12:56, Robert Munn a écrit :
My replies inline...
On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB <abdelhamid@meddeb.net mailto:abdelhamid@meddeb.net> wrote:
Hi,
Le 25/04/2015 15:10, Robert Munn a écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
using a modified ldif file for the replace:
|dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|
|All right|
Empty line is not reported here.
When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.
May be you've missed some settings at build time like --with-tls
I installed OpenLDAP using apt. The .deb package must include TLS because I added the certificates manually.
The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.
No error message like "Insufficient access (50)" ? and you should check the write (manage)rights to cn=config database.
The command I ran (as sudo) and the message:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config”
and ssl.ldif :
dn: cn=config changetype:modify
replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/CAcert
replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/cert
replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cert.key
But we show it here, and content changes (strangely) the cn=config.ldif last modified timestamp, but do nothing realy
cn=config.ldif is being modified by the ldapmodify process, I verified that by changing file permissions on cn=config.ldif, running the ldapmodify command, and then checking cn=config.ldif. ldapmodify updated the timestamp and file permissions on the file. The file changed, but the configuration changes in ssl.ldif were not made in cn=config.ldif.
I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.
Bad practice, it's best to avoid.
Yes, and when I can modify the configuration using ldapmodify, I will no longer make the changes manually.
I found a note about enabling logging using ldapmodify:
https://help.ubuntu.com/lts/serverguide/openldap-server.html
logging.ldif:
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
I executed this command on my first instance and it added the logging to cn=config. I executed this command on the second instance, where olcLogLevel already existed, and it did not alter the log level.
I have also been experimenting with this script:
https://github.com/cepharum/slapd-config
With it, I was able to delete the TLS entries from cn=config:
slapd-config raw delete cn=config olcTLSCACertificateFile 1
but when I tried to add the entries back, I got this error:
slapd-config raw insert cn=config olcTLSCACertificateFile 1 "/etc/ssl/certs/cert.pem" modifying entry "" ldap_modify: Server is unwilling to perform (53) additional info: modify upon the root DSE not supported
I have not looked at the details but it seems that there is a bug in this script. (modifying entry "")
I was able to change the olcLogLevel back to its original state vi ldapmodify, so maybe there is something particular about the TLS entries, perhaps having to do with permissions on the certs and keys themselves?
I have come across this bug in several forums and have yet to see someone who solved it in the “correct” manner using ldapmodify.
Robert
I also found a tech note at CentOS:
https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Re... in section 2.2.2.2 that indicates changes to cn=config will be ignored:
"If an attribute is added to |cn=config|, the server ignores it."
So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.
Robert
Cheers,
*Abdelhamid MEDDEB* http://www.meddeb.net
openldap-technical@openldap.org
-
Abdelhamid Meddeb