OpenLdap TLS authentication setup

Question

I am trying to setup openldap on ubuntu 12.04 by following this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html

When I tried to enable TLS on the server by creating a self signed crtificate as decribed in the guide above, I got the following error

command that I ran

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

Content of ldif file

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Error Message

ldap_modify: Inappropriate matching (18)
        additional info: modify/add: olcTLSCertificateFile: no equality matching rule

After hours of searching on google, I have not found anything that tells much about this error. Does anyone have any more information on this?

Answer 1

These are SINGLE-VALUE. Use replace instead of add.

Also note, changes in the attributes may require a restart of slapd. (Not everything is a run-time configurable as we'd like.)

Your schema is probably:

attributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.3.0.70 NAME 'olcTLSCertificateFile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.4203.1.12.2.3.0.71 NAME 'olcTLSCertificateKeyFile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

A little explaination: ldapmodify add causes slapd to make sure you aren't putting in the attribute valie pair twice by doing an equality match. From what I can tell it should be using 2.5.13.6 NAME 'caseExactOrderingMatch', but I've not sure I've ever tried an add for these attributes. This behavior might be completely normal.