Hi I’m in the process of migrating from 389-Directory/1.2.11.15 -> 389-Directory/1.3.7.5. I’m trying to automate the setup. I’m finding that I can no longer enable SSL via the command line using ldapmodify.
For V1.3.7.5 setup I followed
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls. After restarting the service, SSL is not enabled. I am able to use the Admin Console to enable SSL. I found that the following is missing from
when I setup via ldapmodify vs Admin Console.
Following is missing even after following the RedHat documentation.
nsSSL3: on
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+
sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+
,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_exp
56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128
_256_sha
nsKeyfile: alias/slapd-XXXXX-key3.db
nsCertfile: alias/slapd-XXXXX-cert8.db
# RSA, encryption, config
dn: cn=RSA,cn=encryption,cn=config
nsSSLToken: internal (software)
nsSSLPersonalitySSL: server-cert
nsSSLActivation: on
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
I do notice that when I make the changes via ldapmodify it says that the changes have been successfully made, but they don’t show up in a search before and after a service restart. Also “nsslapd-security”
never changes from off to on via command line edit. Here is some info about my system.
OS: CentOS Linux release 7.5.1804 (Core)
389 packages installed:
389-adminutil-1.1.21-2.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-admin-console-1.1.12-1.el7.noarch
389-ds-base-libs-1.3.7.5-28.el7_5.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-1.3.7.5-28.el7_5.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
Version of Directory Server: 389-Directory/1.3.7.5 B2018.269.1826
Commands executing:
ldapmodify -x -D "cn=Directory Manager" -w XXXX << EOF
dn: cn=config
changetype: modify
replace: nsslapd-securePort
nsslapd-securePort: 636
-
replace: nsslapd-security
nsslapd-security: on
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
replace: nsSSLToken
nsSSLToken: internal (software)
-
replace: nsSSLPersonalitySSL
nsSSLPersonalitySSL: server-cert
-
replace: nsSSLActivation
nsSSLActivation: on
EOF
systemctl restart dirsrv@XXXXX.service