Hi,
In your ssl.ldif file there is a *blank* line too after changetype: modify
This is not reported in your first post but it apear in seconde one.
I have reproduced the same symptoms with this empty line
More details bellow
Cheers.
Le 29/04/2015 12:56, Robert Munn a écrit :
My replies inline...
On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB <abdelhamid@meddeb.net
mailto:abdelhamid@meddeb.net> wrote:
Hi,
Le 25/04/2015 15:10, Robert Munn a écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP
instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
using a modified ldif file for the replace:
|dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|
|All right|
Empty line is not reported here.
When it didn’t work on my existing instance I built a new instance
in a new Ubuntu VM (14.04) and tried the original directions from
Ubuntu. That did not work either.
May be you've missed some settings at build time like --with-tls
I installed OpenLDAP using apt. The .deb package must include TLS
because I added the certificates manually.
The ldapmodify command executes correctly but it seems that the
change is not registered by the server. This is the case in both the
new instance and the old instance of OpenLDAP.
No error message like "Insufficient access (50)" ? and you should
check the write (manage)rights to cn=config database.
The command I ran (as sudo) and the message:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config”
and ssl.ldif :
dn: cn=config
changetype:modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/CAcert
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/cert
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/cert.key
But we show it here, and content changes (strangely) the cn=config.ldif
last modified timestamp, but do nothing realy
cn=config.ldif is being modified by the ldapmodify process, I verified
that by changing file permissions on cn=config.ldif, running the
ldapmodify command, and then checking cn=config.ldif. ldapmodify
updated the timestamp and file permissions on the file. The file
changed, but the configuration changes in ssl.ldif were not made in
cn=config.ldif.
I ended up replacing the values (or adding them in the new instance)
in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the
changes manually and restarting slapd works, but my understanding
was that changes to cn=config should be made through ldapmodify.
Bad practice, it's best to avoid.
Yes, and when I can modify the configuration using ldapmodify, I will
no longer make the changes manually.
I found a note about enabling logging using ldapmodify:
https://help.ubuntu.com/lts/serverguide/openldap-server.html
logging.ldif:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
I executed this command on my first instance and it added the logging
to cn=config. I executed this command on the second instance, where
olcLogLevel already existed, and it did not alter the log level.
I have also been experimenting with this script:
https://github.com/cepharum/slapd-config
With it, I was able to delete the TLS entries from cn=config:
slapd-config raw delete cn=config olcTLSCACertificateFile 1
but when I tried to add the entries back, I got this error:
slapd-config raw insert cn=config olcTLSCACertificateFile 1
"/etc/ssl/certs/cert.pem"
modifying entry ""
ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported
I have not looked at the details but it seems that there is a bug in
this script. (modifying entry "")
I was able to change the olcLogLevel back to its original state vi
ldapmodify, so maybe there is something particular about the TLS
entries, perhaps having to do with permissions on the certs and keys
themselves?
I have come across this bug in several forums and have yet to see
someone who solved it in the “correct” manner using ldapmodify.
Robert
I also found a tech note at CentOS:
https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Re...
in section 2.2.2.2 that indicates changes to cn=config will be ignored:
"If an attribute is added to |cn=config|, the server ignores it."
So am I mistaken? Do I need to do something different? I would
prefer to manage the config with ldapmodify, but since I don’t
change cn=config that often, I can change it manually.
Robert
Cheers,
*Abdelhamid MEDDEB*
http://www.meddeb.net
--
*Abdelhamid Meddeb*
http://www.meddeb.net