[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7164) Prevent change of TLS setting if invalid (Dynamic Config)

Full_Name: Nikolaos Milas
Version: 2.4.28
OS: CentOS 5.7
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

If, in a working OpenLDAP installation with dynamic configuration, we
inadvertently change the value of:

   olcTLSCertificateKeyFile: /path/to/key.pem

to some invalid value, like:

   olcTLSCertificateKeyFile: /path/to/non/existing/key.pem

then OpenLDAP Server continues to work (and we see no error message whatsoever),
but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is
starting, we see:

   Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1

and then service is immediately stopped.

OpenLDAP Server should check whether the new parameter value points to an
existing file, and, if not, it should refuse to change the attribute value. For
a more complete procedure, it could also check whether the indicated file
includes a valid certificate, suitable for this parameter, and, again, if not,
it should refuse to change the attribute value.

Also, in case it's possible that one of the TLS File parameters gets an invalid
value (e.g. through slapadd), then a meaningful message during startup failure
would be helpful, e.g.: "olcTLSCertificateKeyFile: File /path/to/key.pem not
found or contains invalid certificate."