In your ssl.ldif file there is a *blank* line too after changetype: modify
This is not reported in your first post but it apear in seconde one.
I have reproduced the same symptoms with this empty line
More details bellow
Le 29/04/2015 12:56, Robert Munn a écrit :
My replies inline...
On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB <abdelhamid(a)meddeb.net
> Le 25/04/2015 15:10, Robert Munn a écrit :
>> I have been trying to replace the SSL cert settings on my OpenLDAP
>> instance running on Ubuntu using ldapmodify.
>> I followed directions on the Ubuntu wiki:
>> using a modified ldif file for the replace:
>> |dn: cn=config
>> changetype: modify
>> replace: olcTLSCACertificateFile
>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>> replace: olcTLSCertificateFile
>> olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
>> replace: olcTLSCertificateKeyFile
>> olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|
> |All right|
Empty line is not reported here.
>> When it didn’t work on my existing instance I built a new
>> in a new Ubuntu VM (14.04) and tried the original directions from
>> Ubuntu. That did not work either.
> May be you've missed some settings at build time like --with-tls
I installed OpenLDAP using apt. The .deb package must include TLS
because I added the certificates manually.
>> The ldapmodify command executes correctly but it seems that the
>> change is not registered by the server. This is the case in both the
>> new instance and the old instance of OpenLDAP.
> No error message like "Insufficient access (50)" ? and you should
> check the write (manage)rights to cn=config database.
The command I ran (as sudo) and the message:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config”
and ssl.ldif :
But we show it here, and content changes (strangely) the cn=config.ldif
last modified timestamp, but do nothing realy
cn=config.ldif is being modified by the ldapmodify process, I
that by changing file permissions on cn=config.ldif, running the
ldapmodify command, and then checking cn=config.ldif. ldapmodify
updated the timestamp and file permissions on the file. The file
changed, but the configuration changes in ssl.ldif were not made in
>> I ended up replacing the values (or adding them in the new instance)
>> in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the
>> changes manually and restarting slapd works, but my understanding
>> was that changes to cn=config should be made through ldapmodify.
> Bad practice, it's best to avoid.
Yes, and when I can modify the configuration using ldapmodify, I will
no longer make the changes manually.
I found a note about enabling logging using ldapmodify:
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
I executed this command on my first instance and it added the logging
to cn=config. I executed this command on the second instance, where
olcLogLevel already existed, and it did not alter the log level.
I have also been experimenting with this script:
With it, I was able to delete the TLS entries from cn=config:
slapd-config raw delete cn=config olcTLSCACertificateFile 1
but when I tried to add the entries back, I got this error:
slapd-config raw insert cn=config olcTLSCACertificateFile 1
modifying entry ""
ldap_modify: Server is unwilling to perform (53)
additional info: modify upon the root DSE not supported
I have not looked at the details but it seems that there is a bug in
this script. (modifying entry "")
I was able to change the olcLogLevel back to its original state vi
ldapmodify, so maybe there is something particular about the TLS
entries, perhaps having to do with permissions on the certs and keys
I have come across this bug in several forums and have yet to see
someone who solved it in the “correct” manner using ldapmodify.
>> I also found a tech note at CentOS:
>> in section 188.8.131.52 that indicates changes to cn=config will be ignored:
>> "If an attribute is added to |cn=config|, the server ignores it."
>> So am I mistaken? Do I need to do something different? I would
>> prefer to manage the config with ldapmodify, but since I don’t
>> change cn=config that often, I can change it manually.
> *Abdelhamid MEDDEB*