OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)












1














Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!










share|improve this question






















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23


















1














Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!










share|improve this question






















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23
















1












1








1







Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!










share|improve this question













Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root 51 Jul 2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!







openldap tls






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 15 '17 at 10:32









Ph4edrusPh4edrus

615




615












  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23




















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23


















Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56




Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56












Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40






Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40














What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54




What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54












Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23






Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23












2 Answers
2






active

oldest

votes


















0














i had the same problem.
Certificates were stored in the /opt/local/cert.



You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



/opt/local/cert/ r,`
/opt/local/cert/* r,





share|improve this answer































    0














    I solved this problem by changing the order in the file.ldif like this:



    dn: cn=config

    changetype: modify

    replace: olcTLSCertificateKeyFile

    olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



    dn: cn=config

    changetype: modify

    replace: olcTLSCertificateFile

    olcTLSCertificateFile: /etc/openldap/certs/your_certificate



    and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
    make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



    To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      i had the same problem.
      Certificates were stored in the /opt/local/cert.



      You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



      /opt/local/cert/ r,`
      /opt/local/cert/* r,





      share|improve this answer




























        0














        i had the same problem.
        Certificates were stored in the /opt/local/cert.



        You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



        /opt/local/cert/ r,`
        /opt/local/cert/* r,





        share|improve this answer


























          0












          0








          0






          i had the same problem.
          Certificates were stored in the /opt/local/cert.



          You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



          /opt/local/cert/ r,`
          /opt/local/cert/* r,





          share|improve this answer














          i had the same problem.
          Certificates were stored in the /opt/local/cert.



          You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



          /opt/local/cert/ r,`
          /opt/local/cert/* r,






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 22 '18 at 21:15









          user535733

          7,74722942




          7,74722942










          answered Feb 22 '18 at 16:07









          user798428user798428

          11




          11

























              0














              I solved this problem by changing the order in the file.ldif like this:



              dn: cn=config

              changetype: modify

              replace: olcTLSCertificateKeyFile

              olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



              dn: cn=config

              changetype: modify

              replace: olcTLSCertificateFile

              olcTLSCertificateFile: /etc/openldap/certs/your_certificate



              and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
              make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



              To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






              share|improve this answer


























                0














                I solved this problem by changing the order in the file.ldif like this:



                dn: cn=config

                changetype: modify

                replace: olcTLSCertificateKeyFile

                olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                dn: cn=config

                changetype: modify

                replace: olcTLSCertificateFile

                olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






                share|improve this answer
























                  0












                  0








                  0






                  I solved this problem by changing the order in the file.ldif like this:



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateKeyFile

                  olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateFile

                  olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                  and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                  make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                  To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






                  share|improve this answer












                  I solved this problem by changing the order in the file.ldif like this:



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateKeyFile

                  olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateFile

                  olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                  and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                  make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                  To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 20 '18 at 2:45









                  Oussama MechlaouiOussama Mechlaoui

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Ellipse (mathématiques)

                      Quarter-circle Tiles

                      Mont Emei