Re: modifying cn=config with ldapmodify

[Abdelhamid Meddeb <abdelhamid@meddeb.net>]

Hi,

In your ssl.ldif file there is a *blank* line too after changetype: modify
This is not reported in your first post but it apear in seconde one.
I have reproduced the same symptoms with this empty line

More details bellow

Cheers.

Le 29/04/2015 12:56, Robert Munn a écrit :

My replies inline...

On Apr 26, 2015, at 2:28 AM, Abdelhamid MEDDEB <abdelhamid@meddeb.net> wrote:

Hi,

Le 25/04/2015 15:10, Robert Munn a écrit :

I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify.

I followed directions on the Ubuntu wiki:

https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls

using a modified ldif file for the replace:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

All right

Empty line is not reported here.

When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either.

May be you've missed some settings at build time like --with-tls

I installed OpenLDAP using apt. The .deb package must include TLS because I added the certificates manually.

The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP.

No error message like "Insufficient access (50)" ? and you should check the write (manage) rights to cn=config database.

The command I ran (as sudo) and the message:

ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config”

and ssl.ldif :

dn: cn=config

changetype:modify

replace: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/CAcert

-

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/cert

-

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/cert.key

But we show it here, and content changes (strangely)  the cn=config.ldif last modified timestamp, but do nothing realy

cn=config.ldif is being modified by the ldapmodify process, I verified that by changing file permissions on cn=config.ldif, running the ldapmodify command, and then checking cn=config.ldif. ldapmodify updated the timestamp and file permissions on the file. The file changed, but the configuration changes in ssl.ldif were not made in cn=config.ldif.

I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify.

Bad practice, it's best to avoid.

Yes, and when I can modify the configuration using ldapmodify, I will no longer make the changes manually. 

I found a note about enabling logging using ldapmodify:

https://help.ubuntu.com/lts/serverguide/openldap-server.html

logging.ldif:

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

I executed this command on my first instance and it added the logging to cn=config. I executed this command on the second instance, where olcLogLevel already existed, and it did not alter the log level. 

I have also been experimenting with this script:

https://github.com/cepharum/slapd-config

With it, I was able to delete the TLS entries from cn=config:

slapd-config raw delete cn=config olcTLSCACertificateFile 1

but when I tried to add the entries back, I got this error:

slapd-config raw insert cn=config olcTLSCACertificateFile 1 "/etc/ssl/certs/cert.pem"

modifying entry ""

ldap_modify: Server is unwilling to perform (53)

additional info: modify upon the root DSE not supported

I have not looked at the details but it seems that there is a bug in this script. (modifying entry "")

I was able to change the olcLogLevel back to its original state vi ldapmodify, so maybe there is something particular about the TLS entries, perhaps having to do with permissions on the certs and keys themselves? 

I have come across this bug in several forums and have yet to see someone who solved it in the “correct” manner using ldapmodify. 

Robert

I also found a tech note at CentOS:

https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Accessing_and_Modifying_Server_Configuration.html

 

in section 2.2.2.2 that indicates changes to cn=config will be ignored:

"If an attribute is added to cn=config, the server ignores it."

So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually.

Robert

Cheers,

-- 
*Abdelhamid MEDDEB*
http://www.meddeb.net

-- 
*Abdelhamid Meddeb*
http://www.meddeb.net

Attachment: smime.p7s
Description: Signature cryptographique S/MIME