OpenLdap TLS authentication setup

Question

I am trying to setup openldap on ubuntu 12.04 by following this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html

When I tried to enable TLS on the server by creating a self signed crtificate as decribed in the guide above, I got the following error

command that I ran

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif 

Content of ldif file

dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem 

Error Message

ldap_modify: Inappropriate matching (18) additional info: modify/add: olcTLSCertificateFile: no equality matching rule 

After hours of searching on google, I have not found anything that tells much about this error. Does anyone have any more information on this?

Answer 1

These are SINGLE-VALUE. Use replace instead of add.

Also note, changes in the attributes may require a restart of slapd. (Not everything is a run-time configurable as we'd like.)

Your schema is probably:

attributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.3.0.70 NAME 'olcTLSCertificateFile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.3.0.71 NAME 'olcTLSCertificateKeyFile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 

A little explaination: ldapmodify add causes slapd to make sure you aren't putting in the attribute valie pair twice by doing an equality match. From what I can tell it should be using 2.5.13.6 NAME 'caseExactOrderingMatch', but I've not sure I've ever tried an add for these attributes. This behavior might be completely normal.