[SAC] [OSGeo] #2295: Replace ldaps STAR cert with letsencrypt or single cert

OSGeo trac_osgeo at osgeo.org
Fri Apr 26 20:26:13 PDT 2019


#2295: Replace ldaps STAR cert with letsencrypt or single cert
---------------------------+---------------------------------------
 Reporter:  robe           |       Owner:  sac@…
     Type:  task           |      Status:  new
 Priority:  blocker        |   Milestone:  Sysadmin Contract 2019-I
Component:  Systems Admin  |  Resolution:
 Keywords:                 |
---------------------------+---------------------------------------

Comment (by robe):

 I got as far as creating an ssl.ldif that has this in it:



 {{{
 dn: cn=config
 changetype: modify
 replace: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile:  /etc/ssl/certs/osgeo.org/privkey.pem
 -
 replace: olcTLSCACertificateFile
 olcTLSCACertificateFile: /etc/ssl/certs/osgeo.org/chain.pem
 -
 replace: olcTLSCertificateFile
 olcTLSCertificateFile:  /etc/ssl/certs/osgeo.org/cert.pem
 }}}


 And then trying to install with this (note I'm doing this on replica of
 secure, not on secure directly yet)


 {{{
 SLAPD_SERVICES="ldaps://ldap.osgeo.org"
 ldapmodify  -W -D "cn=Manager,dc=osgeo,dc=org" -H ldaps://ldap.osgeo.org
 -f ssl.ldif
 }}}

 and it prompted me with a password which I found in the root/access list
 for phpldap.

 But I got this error:

 modifying entry "cn=config"
 ldap_modify: Insufficient access (50)


 If I type in the wrong password I do get a invalid password, so I have the
 right password for this account, but this one appears to not have enough
 privilege to edit the configs

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2295#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.


More information about the Sac mailing list