OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)
Configuring StartTLS for OpenLDAP.
- Ubuntu server 16.04
- Slapd 2.4.42+dfsg-2ubuntu3.2
I have my own internal Certificate authority that is providing certificates.
I have set up certificates and key:
in /etc/ssl/certs:
-rw-r----- 1 root ssl-cert 3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem
lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt
in /etc/ssl/private:
-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem
I have correctly set hostname:
@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net
I try to add the configuration to slapd with this LDIF:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem
With the command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
I get this error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any help greatly appreciated!
openldap tls
add a comment |
Configuring StartTLS for OpenLDAP.
- Ubuntu server 16.04
- Slapd 2.4.42+dfsg-2ubuntu3.2
I have my own internal Certificate authority that is providing certificates.
I have set up certificates and key:
in /etc/ssl/certs:
-rw-r----- 1 root ssl-cert 3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem
lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt
in /etc/ssl/private:
-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem
I have correctly set hostname:
@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net
I try to add the configuration to slapd with this LDIF:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem
With the command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
I get this error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any help greatly appreciated!
openldap tls
Normallyslapd
runs as useropenldap
. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
What are the access right on/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does theopenldap
user can change into/etc/ssl/private
? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23
add a comment |
Configuring StartTLS for OpenLDAP.
- Ubuntu server 16.04
- Slapd 2.4.42+dfsg-2ubuntu3.2
I have my own internal Certificate authority that is providing certificates.
I have set up certificates and key:
in /etc/ssl/certs:
-rw-r----- 1 root ssl-cert 3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem
lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt
in /etc/ssl/private:
-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem
I have correctly set hostname:
@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net
I try to add the configuration to slapd with this LDIF:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem
With the command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
I get this error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any help greatly appreciated!
openldap tls
Configuring StartTLS for OpenLDAP.
- Ubuntu server 16.04
- Slapd 2.4.42+dfsg-2ubuntu3.2
I have my own internal Certificate authority that is providing certificates.
I have set up certificates and key:
in /etc/ssl/certs:
-rw-r----- 1 root ssl-cert 3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem
lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt
in /etc/ssl/private:
-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem
I have correctly set hostname:
@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net
I try to add the configuration to slapd with this LDIF:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem
With the command:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
I get this error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any help greatly appreciated!
openldap tls
openldap tls
asked Jul 15 '17 at 10:32
Ph4edrusPh4edrus
615
615
Normallyslapd
runs as useropenldap
. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
What are the access right on/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does theopenldap
user can change into/etc/ssl/private
? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23
add a comment |
Normallyslapd
runs as useropenldap
. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
What are the access right on/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does theopenldap
user can change into/etc/ssl/private
? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23
Normally
slapd
runs as user openldap
. You should give read access to this user for the TLS files.– Thomas
Jul 15 '17 at 11:56
Normally
slapd
runs as user openldap
. You should give read access to this user for the TLS files.– Thomas
Jul 15 '17 at 11:56
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
What are the access right on
/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does the openldap
user can change into /etc/ssl/private
? Which manual did you follow?– Thomas
Jul 15 '17 at 14:54
What are the access right on
/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does the openldap
user can change into /etc/ssl/private
? Which manual did you follow?– Thomas
Jul 15 '17 at 14:54
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23
add a comment |
2 Answers
2
active
oldest
votes
i had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd
:
/opt/local/cert/ r,`
/opt/local/cert/* r,
add a comment |
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
i had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd
:
/opt/local/cert/ r,`
/opt/local/cert/* r,
add a comment |
i had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd
:
/opt/local/cert/ r,`
/opt/local/cert/* r,
add a comment |
i had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd
:
/opt/local/cert/ r,`
/opt/local/cert/* r,
i had the same problem.
Certificates were stored in the /opt/local/cert
.
You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd
:
/opt/local/cert/ r,`
/opt/local/cert/* r,
edited Feb 22 '18 at 21:15
user535733
7,74722942
7,74722942
answered Feb 22 '18 at 16:07
user798428user798428
11
11
add a comment |
add a comment |
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
add a comment |
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
add a comment |
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
I solved this problem by changing the order in the file.ldif like this:
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/your_certificate
and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.
To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS
answered Dec 20 '18 at 2:45
Oussama MechlaouiOussama Mechlaoui
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Normally
slapd
runs as useropenldap
. You should give read access to this user for the TLS files.– Thomas
Jul 15 '17 at 11:56
Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40
What are the access right on
/usr/local/share/ca-certificates/roenix.ca.cert.crt
? And does theopenldap
user can change into/etc/ssl/private
? Which manual did you follow?– Thomas
Jul 15 '17 at 14:54
Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23