[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS config causes Object class violation

forumuser@online.de wrote:

Recently I upgraded my Ubuntu Server 8.04 to 8.10 and had to reconfigure OpenLDAP (installed by apt-get) through slapd backend database (I used slapd.config before). I have reconfigured OpenLDAP by "sudo dpkg-reconfigure slapd" and confirmed all prior settings, however the old database was moved to /var/backup/ and a fresh one was generated (please see config tree at the end).

The problem is, I get following error message..:
  ldap_modify: Object class violation (65)
          additional info: attribute 'olcTLSCACertificateFile' not allowed

(even olcTLSCertificateFile, if I leave out olcTLSCACertificateFile... olcTLS* seems "not allowed")

..when I try to configure TLS by ldapmodify:
ldapmodify -D cn=admin,cn=config -W -x

by entering this:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/servercert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/serverkey.pem

The config tree is as follows (I will change "mydomain" and ACL later):
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=mydomain,dc=org" write by anonymous
  auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=org"
  write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq

Here's my "sudo apt-cache show slapd" packet information: Package: slapd Priority: optional Section: net Installed-Size: 3872 Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> Architecture: i386 Source: openldap Version: 2.4.11-0ubuntu6 Replaces: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-utils (<< 2.2.23-3), libldap2 Provides: ldap-server, libslapi-2.4-2 Depends: libc6 (>= 2.4), libdb4.2, libgcrypt11 (>= 1.4.0), libgnutls26 (>= 2.4.0-0), libldap-2.4-2 (= 2.4.11-0ubuntu6), libltdl7 (>= 2.2.4), libperl5.10 (>= 5.10.0), libsasl2-2, libslp1, libtasn1-3 (>= 0.3.4), libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11-1), zlib1g (>= 1:1.1.4), coreutils (>= 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser Pre-Depends: debconf (>= 0.5) | debconf-2.0 Recommends: libsasl2-modules, apparmor (>= 2.1+1075-0ubuntu6) Suggests: ldap-utils Conflicts: apparmor-profiles (<< 2.1+1075-0ubuntu4), ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd Filename: pool/main/o/openldap/slapd_2.4.11-0ubuntu6_i386.deb Size: 1466528 MD5sum: 41047db9f250c0e73e2e3c43c5d90f5a SHA1: 4c23c98d55851fef7ec4ff5e4fa8d7cd1c885da9 SHA256: 107e5df3dea5a0571a2f99df1d7c919247a4223a991a99e8393b0915e39f1fc9 Description-de: OpenLDAP-Server (slapd) This is the OpenLDAP (Lightweight Directory Access Protocol) server (slapd). The server can be used to provide a standalone directory service. Homepage: http://www.openldap.org/ Bugs: mailto:ubuntu-users@lists.ubuntu.com Origin: Ubuntu

(libgnutls26 is of version: 2.4.1-1build1) Can someone help me with this "Object class violation (65)" problem concerning TLS?

olcTLSCACertificateFile belongs to olcGlobal, while you're trying to add it to a database object. Add it to cn=config instead.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it