ldap_add: Other (e.g., implementation specific) error (80) when adding pw-sha2.la module

centos6 openldap

5,023

I am quite confident the following will be inserted without errors:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap/
olcModuleLoad: pw-sha2

My confidence arises from the fact it is the exact ldif I used to enable the module.

As an aside: if you want a password schema be the default, modify PasswordHash on frontend:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SHA256}

5,023

Leo

I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.

Updated on September 18, 2022

Comments

Leo over 1 year

I'm getting this error when trying to add a module to OpenLDAP:

# ldapadd -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
    additional info: <olcModuleLoad> handler exited with 1

Here's the ldif:

# cat module.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: pw-sha2.la

It's the slapd-sha2.so module. The readme instructions seem out of date.

Here are the module directory contents:

# ls /usr/local/libexec/openldap
pw-sha2.a  pw-sha2.la  pw-sha2.so  pw-sha2.so.0  pw-sha2.so.0.0.0

Here's a different module currently in OpenLDAP:

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=module{0},cn=config'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=module{0},cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}syncprov.la

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I tried suffixing module with {1} in the ldif to no success.

OpenLDAP version:

# slapd -V
@(#) $OpenLDAP: slapd 2.4.40 (Sep 29 2015 10:26:27) $
    [email protected]:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

I followed the steps below to compile the module.

Install prerequisites:

yum -y install git libtool openldap-devel nss nss-devel openssl openssl-devel db4 db4-devel

Get module source:

git clone https://github.com/gcp/openldap.git

Build the module:

cd openldap
./configure
make depend
make
cd contrib/slapd-modules/passwd/sha2/
make
make install

Is the module already loaded? I do not see it in cn=config.
How do I add it to the OpenLDAP configuration?

@473183469 suggested this ldif:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap/
olcModuleLoad: pw-sha2

When I try it, I get this error:

# ldapadd -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module{0},cn=config"
ldap_add: Naming violation (64)

Edit 2:

Just to be clear, I'm trying to use pw-sha2 compiled from the github source repo with the slapd from CentOS package repos.

ls -laFtr /usr/local/libexec/openldap/
total 124
-rwxr-xr-x  1 root root 46158 Nov  6 11:53 pw-sha2.so.0.0.0*
lrwxrwxrwx  1 root root    16 Nov  6 11:53 pw-sha2.so.0 -> pw-sha2.so.0.0.0*
lrwxrwxrwx  1 root root    16 Nov  6 11:53 pw-sha2.so -> pw-sha2.so.0.0.0*
-rw-r--r--  1 root root   910 Nov  6 11:53 pw-sha2.la
-rw-r--r--  1 root root 61274 Nov  6 11:53 pw-sha2.a
drwxr-xr-x  2 root root  4096 Nov  6 11:53 ./
drwxr-xr-x. 3 root root  4096 Nov 19 14:19 ../

Official CentOS slapd:

# slapd -VVV
@(#) $OpenLDAP: slapd 2.4.40 (Nov 10 2015 09:41:16) $
    [email protected]:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

Included static backends:
    config
    ldif
    monitor
    bdb
    hdb
    ldap
    mdb
    meta
    null
    passwd
    relay
    shell
    sock

slapd built from source:

# /usr/local/libexec/slapd -VVV
@(#) $OpenLDAP: slapd 2.X (Nov 19 2015 14:18:36) $
    root@my_hostname.my_domain.com:/root/openldap/servers/slapd

Included static overlays:
    syncprov
Included static backends:
    config
    ldif
    monitor
    bdb
    hdb
    mdb
    relay

Leo over 8 years

I get an ldap_add: Naming violation (64) with that ldif. I've added diagnostic output to the question
473183469 over 8 years

I suspect the index {0} of modules is already used. Can you list your modules? sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=config 'objectClass=olcModuleList'
473183469 over 8 years

It would be most useful the server log output: the client output is not very enlightening.
Leo over 8 years

Thanks! There was a {0} module. Adding a {1} module showed a file not found error in the slapd logs. I added .la to olcModuleLoad: pw-sha2.la and adding the module as {1} worked.
Leo over 8 years

I spoke too soon. Getting file not found for pw-sha2, pw-sha2.la and pw-sha2.so
473183469 over 8 years

what is ls -laFtr /usr/local/libexec/openldap/ ? While doing configure did you change the PREFIX?
Leo over 8 years

Details added to question. Note that I was trying to use the official CentOS slapd with a pw-sha2 compiled from Github source.
Aas over 6 years

@Leons Have you found a solution? Can you please post LDIF that worked for you? You have done the same steps as I did and I have come to the same dead end as you did.