I have not mentioned that my let's encrypt certificate is not SAN but wildcard.
On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot <[email protected]> wrote: > > Hi everyone, > > On Ubuntu 20.04 > slapd 2.4.49+dfsg-1ubuntu1 > with /etc/ldap/tls.ldif: > -------------------------- > dn: cn=config > changetype: modify > add: olcTLSCertificateFile > olcTLSCertificateFile: /etc/ssl/domain.crt > - > add: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted > - > add: olcTLSCACertificateFile > olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem > > - All files are readable by openldap user. > - domain.crt is in pem format > - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem + > letsencryptauthorityx3.pem > -------------------------- > Yet, if I run: > ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif > > I get in the logs: > -------------------------- > daemon: read active on 12 > daemon: epoll: listen=8 active_threads=0 tvp=zero > daemon: epoll: listen=9 active_threads=0 tvp=zero > daemon: epoll: listen=10 active_threads=0 tvp=zero > daemon: activity on 1 descriptor > conn=1001 op=1 MOD dn="cn=config" > daemon: activity on: > conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile > olcTLSCACertificateFile > > => access_allowed: result not in cache (olcTLSCertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested > daemon: epoll: listen=8 active_threads=0 tvp=zero > => acl_get: [1] attr olcTLSCertificateFile > daemon: epoll: listen=9 active_threads=0 tvp=zero > => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" > requested > daemon: epoll: listen=10 active_threads=0 tvp=zero > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCertificateKeyFile) > => access_allowed: add access to "cn=config" > "olcTLSCertificateKeyFile" requested > => acl_get: [1] attr olcTLSCertificateKeyFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCertificateKeyFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCACertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" > requested > => acl_get: [1] attr olcTLSCACertificateFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCACertificateFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > conn=1001 op=1 RESULT tag=103 err=80 text= > daemon: activity on 1 descriptor > daemon: activity on: > 12r > -------------------------- > > What is going on? > My logging attributes are: conns filter config acl stats stats2 shell parse > Is there a way to get more explicit logging? > - > Jean-Christophe -- Jean-Christophe
