[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot configure TLS
- To: openldap-technical@openldap.org
- Subject: Re: Cannot configure TLS
- From: jean-christophe manciot <actionmystique@gmail.com>
- Date: Thu, 27 Feb 2020 15:37:54 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Nd7J+JEPIrnG1lgGpxwOqhUyNBykZpAa5sJ/4GGCg6w=; b=u3leSv7Mq/wn5n3lKOIfrxAJcLGFgIbkyaSe+eACSSJ1jvRyyWrIU7Xye/Y4v77ntM /qKlRtWX/D0+iP+KEBNTgIybiKryLc76JeR/2YdbgAiaF0Lg1aTjMxU7wDK/Kcprz7B9 sHdzezlWgyI306AHe/4IQ5w7mDDayF3L5xE9DM6RPmYmXI5oDVnAbZ+qi0IBjd/w5nVM /F6+THc/ZcU6HjFNiPltc77MDeZIN0LCiork8Zyjw80R/6Zo3ues9UY1bjmC6hM5fuMH KBw7v2GlpR6FtYYm1HYzmV2j2Iy2t4avVf+8HHw4e2oUvwsarr0Lf1qiDVp0wL4AbRdN o5gw==
- In-reply-to: <CAKcFC3a43cMwMNjUFXwk=CFYkW5mmWWZKeYDx1eZ25O3Vsv6cw@mail.gmail.com>
- References: <CAKcFC3a43cMwMNjUFXwk=CFYkW5mmWWZKeYDx1eZ25O3Vsv6cw@mail.gmail.com>
I have not mentioned that my let's encrypt certificate is not SAN but wildcard.
On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot
<actionmystique@gmail.com> wrote:
>
> Hi everyone,
>
> On Ubuntu 20.04
> slapd 2.4.49+dfsg-1ubuntu1
> with /etc/ldap/tls.ldif:
> --------------------------
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/domain.crt
> -
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted
> -
> add: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem
>
> - All files are readable by openldap user.
> - domain.crt is in pem format
> - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem +
> letsencryptauthorityx3.pem
> --------------------------
> Yet, if I run:
> ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif
>
> I get in the logs:
> --------------------------
> daemon: read active on 12
> daemon: epoll: listen=8 active_threads=0 tvp=zero
> daemon: epoll: listen=9 active_threads=0 tvp=zero
> daemon: epoll: listen=10 active_threads=0 tvp=zero
> daemon: activity on 1 descriptor
> conn=1001 op=1 MOD dn="cn=config"
> daemon: activity on:
> conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile
> olcTLSCACertificateFile
>
> => access_allowed: result not in cache (olcTLSCertificateFile)
> => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested
> daemon: epoll: listen=8 active_threads=0 tvp=zero
> => acl_get: [1] attr olcTLSCertificateFile
> daemon: epoll: listen=9 active_threads=0 tvp=zero
> => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested
> daemon: epoll: listen=10 active_threads=0 tvp=zero
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: result not in cache (olcTLSCertificateKeyFile)
> => access_allowed: add access to "cn=config"
> "olcTLSCertificateKeyFile" requested
> => acl_get: [1] attr olcTLSCertificateKeyFile
> => acl_mask: access to entry "cn=config", attr
> "olcTLSCertificateKeyFile" requested
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: result not in cache (olcTLSCACertificateFile)
> => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested
> => acl_get: [1] attr olcTLSCACertificateFile
> => acl_mask: access to entry "cn=config", attr
> "olcTLSCACertificateFile" requested
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> conn=1001 op=1 RESULT tag=103 err=80 text=
> daemon: activity on 1 descriptor
> daemon: activity on:
> 12r
> --------------------------
>
> What is going on?
> My logging attributes are: conns filter config acl stats stats2 shell parse
> Is there a way to get more explicit logging?
> -
> Jean-Christophe
--
Jean-Christophe