OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)












1














Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem



lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f

ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!






openldap tls







share|improve this question






















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23


















1














Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem



lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f

ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!






openldap tls







share|improve this question






















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23
















1












1








1







Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem



lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f

ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!






openldap tls







share|improve this question













Configuring StartTLS for OpenLDAP.




  • Ubuntu server 16.04

  • Slapd 2.4.42+dfsg-2ubuntu3.2


I have my own internal Certificate authority that is providing certificates.



I have set up certificates and key:
in /etc/ssl/certs:



-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem



lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt


in /etc/ssl/private:



-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem


I have correctly set hostname:



@ldaptest:/etc/ssl/certs$ hostname -f

ldaptest.roenix.net


I try to add the configuration to slapd with this LDIF:



dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem


With the command:



sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif


I get this error:



SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

ldap_modify: Other (e.g., implementation specific) error (80)


Any help greatly appreciated!






openldap tls




openldap tls






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 15 '17 at 10:32









Ph4edrusPh4edrus

615




615












  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23




















  • Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
    – Thomas
    Jul 15 '17 at 11:56










  • Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
    – Ph4edrus
    Jul 15 '17 at 14:40












  • What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
    – Thomas
    Jul 15 '17 at 14:54










  • Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
    – Ph4edrus
    Jul 15 '17 at 16:23


















Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56




Normally slapd runs as user openldap. You should give read access to this user for the TLS files.
– Thomas
Jul 15 '17 at 11:56












Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40






Thanks Thomas! I failed to mention I made user openldap a member of the group open-ssl. Do you recommend a different method of giving access?
– Ph4edrus
Jul 15 '17 at 14:40














What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54




What are the access right on /usr/local/share/ca-certificates/roenix.ca.cert.crt? And does the openldap user can change into /etc/ssl/private? Which manual did you follow?
– Thomas
Jul 15 '17 at 14:54












Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23






Thomas you're an absolute hero! How could I miss the symlink... Changed the group on /usr/local/share/.... and it's fixed!!!!
– Ph4edrus
Jul 15 '17 at 16:23












2 Answers
2






active

oldest

votes


















0














i had the same problem.
Certificates were stored in the /opt/local/cert.



You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



/opt/local/cert/ r,`

/opt/local/cert/* r,





share|improve this answer































    0














    I solved this problem by changing the order in the file.ldif like this:



    dn: cn=config

    changetype: modify

    replace: olcTLSCertificateKeyFile

    olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



    dn: cn=config

    changetype: modify

    replace: olcTLSCertificateFile

    olcTLSCertificateFile: /etc/openldap/certs/your_certificate



    and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
    make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



    To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      i had the same problem.
      Certificates were stored in the /opt/local/cert.



      You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



      /opt/local/cert/ r,`
      
/opt/local/cert/* r,





      share|improve this answer




























        0














        i had the same problem.
        Certificates were stored in the /opt/local/cert.



        You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



        /opt/local/cert/ r,`
        
/opt/local/cert/* r,





        share|improve this answer


























          0












          0








          0






          i had the same problem.
          Certificates were stored in the /opt/local/cert.



          You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



          /opt/local/cert/ r,`
          
/opt/local/cert/* r,





          share|improve this answer














          i had the same problem.
          Certificates were stored in the /opt/local/cert.



          You must add this directory to the list of the resolved files in /etc/apparmor.d/usr.sbin.slapd:



          /opt/local/cert/ r,`
          
/opt/local/cert/* r,






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 22 '18 at 21:15









          user535733

          7,74722942




          7,74722942










          answered Feb 22 '18 at 16:07









          user798428user798428

          11




          11

























              0














              I solved this problem by changing the order in the file.ldif like this:



              dn: cn=config

              changetype: modify

              replace: olcTLSCertificateKeyFile

              olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



              dn: cn=config

              changetype: modify

              replace: olcTLSCertificateFile

              olcTLSCertificateFile: /etc/openldap/certs/your_certificate



              and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
              make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



              To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






              share|improve this answer


























                0














                I solved this problem by changing the order in the file.ldif like this:



                dn: cn=config

                changetype: modify

                replace: olcTLSCertificateKeyFile

                olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                dn: cn=config

                changetype: modify

                replace: olcTLSCertificateFile

                olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






                share|improve this answer
























                  0












                  0








                  0






                  I solved this problem by changing the order in the file.ldif like this:



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateKeyFile

                  olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateFile

                  olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                  and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                  make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                  To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS






                  share|improve this answer












                  I solved this problem by changing the order in the file.ldif like this:



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateKeyFile

                  olcTLSCertificateKeyFile: /etc/openldap/certs/your_key



                  dn: cn=config

                  changetype: modify

                  replace: olcTLSCertificateFile

                  olcTLSCertificateFile: /etc/openldap/certs/your_certificate



                  and the I launched the command ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif
                  make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.



                  To make sure that changes have been done launch this command ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 20 '18 at 2:45









                  Oussama MechlaouiOussama Mechlaoui

                  1




                  1






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f936382%2fopenldap-error-configuring-starttls-ldap-modify-other-e-g-implementation-sp%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Quarter-circle Tiles

                      Image
                      up vote 0 down vote favorite I have $99$ identical square tiles, each with a quarter-circle drawn on it like this: [asy] size(1.5cm); draw(Arc((2,0),1,90,180),red+1); draw((0,0)--(2,0)--(2,2)--(0,2)--(0,0)); [/asy] When I arrange the tiles in a $9times 11$ rectangular grid, each with a random orientation, what is the expected value of the number of full circles I form? I think this problem has to do with finding the chance any given 2x2 square has a circle, but I can't find it. expected-value share | cite | improve this question asked Nov 20 at 15:03 6minecraftninja 1 2
                      Read more

                      build a pushdown automaton that recognizes the reverse language of a given pushdown automaton?

                      Image
                      0 I think it's similiar to NFAs. I replace the finite states of the given automaton for start-states for my new automaton. I do it with $epsilon$ -transition from the start state to the actual finite states of the given automaton. The start state of the given automaton will be my accepting(finite) state of my new one. All transitions will be reversed of course to recognize the reversed word. But how do I have to change the stack of the pushdown automaton? That's tricky. formal-languages automata context-free-grammar share | cite | improve this question edited Nov 29 '18 at 14:20 joee
                      Read more

                      Mont Emei

                      Image
                      Mont Emei.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Vue du sommet Wanfo du mont Emei Géographie Altitude 3 099  m , Wanfo Coordonnées 29° 31′ 11″ nord, 103° 19′ 57″ est Administration Pays   Chine Province Sichuan Ville-préfecture Leshan Géolocalisation sur la carte : Sichuan Mont Emei Géolocalisation sur la carte : Chine Mont Emei modifier   Paysage panoramique du mont Emei, incluant le paysage panoramique du grand Bouddha de Leshan *   Patrimoine mondial de l'UNESCO Passerelle en bois sur le versant ouest Pays   Chine Subdivision Sichuan Type Mixte Critères (iv) (vi) (x) Superficie 15 400 ha Numéro d’identification 779 Zone géographique Asie et Pacifique  ** Année d’inscription 1996 (20 e session) * Descriptif officiel UNESCO ** Classification géog
                      Read more