Full_Name: Nikolaos Milas Version: 2.4.28 OS: CentOS 5.7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (94.65.22.12) If, in a working OpenLDAP installation with dynamic configuration, we inadvertently change the value of: olcTLSCertificateKeyFile: /path/to/key.pem to some invalid value, like: olcTLSCertificateKeyFile: /path/to/non/existing/key.pem then OpenLDAP Server continues to work (and we see no error message whatsoever), but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is starting, we see: Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1 and then service is immediately stopped. OpenLDAP Server should check whether the new parameter value points to an existing file, and, if not, it should refuse to change the attribute value. For a more complete procedure, it could also check whether the indicated file includes a valid certificate, suitable for this parameter, and, again, if not, it should refuse to change the attribute value. Also, in case it's possible that one of the TLS File parameters gets an invalid value (e.g. through slapadd), then a meaningful message during startup failure would be helpful, e.g.: "olcTLSCertificateKeyFile: File /path/to/key.pem not found or contains invalid certificate."
changed notes changed state Open to Closed
arguments are not always pathnames. pathnames may legitimately be created after the cn=config change. Admins are expected to know WTF they're doing.