OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)
Solution 1
Thomas' comment put me on the right track.
Cause of the problem: I failed to realize that /etc/ssl/certs/roenix.ca.cert.crt is actually a symlink to /usr/local/share/ca-certificates/roenix.ca.cert.crt.
Solution: Set correct permissions on the actual cert file in /usr/local/share/ca-certificates.
Also read the other comments and learned a lot! Thanks all.
Solution 2
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I ran the command
ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done, run this command
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
Solution 3
I had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/local/usr.sbin.slapd
:
/opt/local/cert/ r,
/opt/local/cert/* r,
Solution 4
I solved the problem just use in the correct order first key then cert. And it worked for me.
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert
Solution 5
This error can be also a permission error. For example if did this command
vim newcerts.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/myca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap1.mydom.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap1.mydom.key
-
replace: olcTLSRandFile
olcTLSRandFile: /dev/urandom
then
ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
but after give with setfacl the permission of read keyfile to openldap user(the certs are usually 644 readable by all)
setfacl -m u:openldap:r-x /etc/ssl/private
setfacl -m u:openldap:r-x /etc/ssl/private/ldap1.mydom.key
all works
ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Related videos on Youtube
Ph4edrus
Linux and open source enthousiast. OCD on OpSec. Rock Climber.
Updated on September 18, 2022Comments
-
Ph4edrus over 1 year
Configuring StartTLS for OpenLDAP.
- Ubuntu server 16.04
- Slapd 2.4.42+dfsg-2ubuntu3.2
I have my own internal Certificate authority that is providing certificates.
I have set up certificates and key: in /etc/ssl/certs:
-rw-r----- 1 root ssl-cert 3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt
in /etc/ssl/private:
-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem
I have correctly set hostname:
@ldaptest:/etc/ssl/certs$ hostname -f ldaptest.roenix.net
I try to add the configuration to slapd with this LDIF:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem
With the command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
I get this error:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
Any help greatly appreciated!
-
Thomas almost 7 yearsNormally
slapd
runs as useropenldap
. You should give read access to this user for the TLS files. -
Ph4edrus almost 7 yearsThanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
-
Thomas almost 7 yearsWhat are the access right on
/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does theopenldap
user can change into/etc/ssl/private
? Which manual did you follow? -
Ph4edrus almost 7 yearsThomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
-
fen about 5 yearsSwapping the order (key, then cert) did it! Thanks!
-
M2E67 over 4 yearsit does not for me !!!
-
Kartik Agarwal about 4 yearsSwapping the order (Key, then cert did it) Thaks
-
Assil over 2 yearsSwapping the order worked for me as well.