Hi,
Le 25/04/2015 15:10, Robert Munn a
écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP
instance running on Ubuntu using ldapmodify.
I followed directions on the Ubuntu wiki:
using a modified ldif file for the replace:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
All right
When it didn’t work on my existing instance I built a new
instance in a new Ubuntu VM (14.04) and tried the original
directions from Ubuntu. That did not work either.
May be you've missed some settings at build time like --with-tls
The ldapmodify command executes correctly but it seems that
the change is not registered by the server. This is the case in
both the new instance and the old instance of OpenLDAP.
No error message like "Insufficient access (50)" ? and
you should check the write
(manage) rights to cn=config database.
I ended up replacing the values (or adding them in the new
instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually.
Making the changes manually and restarting slapd works, but my
understanding was that changes to cn=config should be made
through ldapmodify.
Bad practice, it's best to avoid.
I also found a tech note at CentOS:
in section 2.2.2.2 that indicates changes to cn=config will
be ignored:
"If an attribute is added to cn=config,
the server ignores it."
So am I mistaken? Do I need to do something different? I
would prefer to manage the config with ldapmodify, but since I
don’t change cn=config that often, I can change it manually.
Robert
Cheers,
--
*Abdelhamid MEDDEB*
http://www.meddeb.net