"POISSON Frédéric" wrote:
Hello all,Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations. First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER; Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : ldap_modify: Server is unwilling to perform (53) When i replace following values in this order with 4 actions/operations or with a single action/operation it works : dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem - replace: olcTLSRandFile olcTLSRandFile: /dev/random But it don't works with only olcTLSRandfile if i do an add or replace first, why ? What do you need for investigation ?
There's nothing to investigate, this works as designed. The config engine requires your TLS configuration to be valid when you configure it. That means at a minimum you must configure a server cert and key. If you only configure the randfile and nothing else, the config is rejected.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
