I used the following LDIF file to activate the TLS support for the LDAP server:
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/CA.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/key.pem
and force the TLS usage for the client connections with the following LDIF:
dn: cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
After this I can't use the "-Y EXTERNAL" any more to read or modify the configuration schema. For example I get SASL error if I run:
$ sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available:
and if I check for supported SASL mechanisms:
$ sudo ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
I really can't see the EXTERNAL included in the list. What am I missing here?
This is on Ubuntu-12.04 and slapd-2.4.31.
Best Answer
Without access to the running config, you'll have to stop
slapd
and edit the configuration offline.slapd
:service slapd stop
slapcat -F /etc/ldap/slapd.d -b cn=config -l config.ldif
mv /etc/ldap/slapd.d{,.old}
make a new, empty config database:
mkdir /etc/ldap/slapd.d chown --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d chmod --reference=/etc/ldap/slapd.d.old /etc/ldap/slapd.d
config.ldif
to remove yourolcSecurity
setting (or addolcRootDN
andolcRootPW
tocn=config
, or any other changes you like)slapadd -F /etc/ldap/slapd.d -b cn=config -l config.ldif
(The above assumes your configuration lives at
/etc/ldap/slapd.d
, which is the default in Debian and Ubuntu.)Note that
slapadd
of a complete LDIF should always be done into an empty database; so if you make a mistake andslapadd
fails, make sure to clear out the partial database before trying again.You can find more information in the OpenLDAP Admin Guide as well as the relevant man pages.