Recently I upgraded my Ubuntu Server 8.04 to 8.10 and had to reconfigure OpenLDAP (installed by apt-get) through slapd backend database (I used slapd.config before). I have reconfigured OpenLDAP by "sudo dpkg-reconfigure slapd" and confirmed all prior settings, however the old database was moved to /var/backup/ and a fresh one was generated (please see config tree at the end).
The problem is, I get following error message..:
ldap_modify: Object class violation (65)
additional info: attribute 'olcTLSCACertificateFile' not allowed
(even olcTLSCertificateFile, if I leave out olcTLSCACertificateFile... olcTLS* seems "not allowed")
..when I try to configure TLS by ldapmodify:
ldapmodify -D cn=admin,cn=config -W -x
by entering this:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/servercert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/serverkey.pem
The config tree is as follows (I will change "mydomain" and ACL later):
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=mydomain,dc=org" write by anonymous
auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=org"
write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
Here's my "sudo apt-cache show slapd" packet information:
Package: slapd
Priority: optional
Section: net
Installed-Size: 3872
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Architecture: i386
Source: openldap
Version: 2.4.11-0ubuntu6
Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-utils (<< 2.2.23-3), libldap2
Provides: ldap-server, libslapi-2.4-2
Depends: libc6 (>= 2.4), libdb4.2, libgcrypt11 (>= 1.4.0), libgnutls26 (>= 2.4.0-0), libldap-2.4-2 (= 2.4.11-0ubuntu6), libltdl7 (>= 2.2.4), libperl5.10 (>= 5.10.0), libsasl2-2, libslp1, libtasn1-3 (>= 0.3.4), libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11-1), zlib1g (>= 1:1.1.4), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser
Pre-Depends: debconf (>= 0.5) | debconf-2.0
Recommends: libsasl2-modules, apparmor (>= 2.1+1075-0ubuntu6)
Suggests: ldap-utils
Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
Filename: pool/main/o/openldap/slapd_2.4.11-0ubuntu6_i386.deb
Size: 1466528
MD5sum: 41047db9f250c0e73e2e3c43c5d90f5a
SHA1: 4c23c98d55851fef7ec4ff5e4fa8d7cd1c885da9
SHA256: 107e5df3dea5a0571a2f99df1d7c919247a4223a991a99e8393b0915e39f1fc9
Description-de: OpenLDAP-Server (slapd)
This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service.
Homepage: http://www.openldap.org/
Bugs: mailto:ubuntu-users@lists.ubuntu.com
Origin: Ubuntu
(libgnutls26 is of version: 2.4.1-1build1)
Can someone help me with this "Object class violation (65)" problem concerning TLS?