OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)

Question

Configuring StartTLS for OpenLDAP.

Ubuntu server 16.04
Slapd 2.4.42+dfsg-2ubuntu3.2

I have my own internal Certificate authority that is providing certificates.

I have set up certificates and key: in /etc/ssl/certs:

-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt

in /etc/ssl/private:

-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem

I have correctly set hostname:

@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net

I try to add the configuration to slapd with this LDIF:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem

With the command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

I get this error:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

Any help greatly appreciated!

score 5 · Answer 1 · edited Oct 22 '19 at 13:15

I solved this problem by changing the order in the file.ldif like this:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key

dn: cn=config 
changetype: modify
replace: olcTLSCertificateFile 
olcTLSCertificateFile: /etc/openldap/certs/your_certificate

and the I ran the command

ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif

make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.

To make sure that changes have been done, run this command

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS

score 2 · Answer 2 · edited Dec 04 '19 at 09:40

2

I had the same problem. Certificates were stored in the /opt/local/cert.

You must add this directory to the list of the resolved files in /etc/apparmor.d/local/usr.sbin.slapd:

/opt/local/cert/ r,
/opt/local/cert/* r,

edited Dec 04 '19 at 09:40

dsh

362

answered Feb 22 '18 at 16:07

user798428

21
3

score 1 · Answer 3 · answered Nov 25 '19 at 00:00

This error can be also a permission error. For example if did this command

vim newcerts.ldif

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/myca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap1.mydom.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap1.mydom.key
-
replace: olcTLSRandFile
olcTLSRandFile: /dev/urandom

then

ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

but after give with setfacl the permission of read keyfile to openldap user(the certs are usually 644 readable by all)

setfacl -m u:openldap:r-x /etc/ssl/private
setfacl -m u:openldap:r-x /etc/ssl/private/ldap1.mydom.key

all works

ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

score 1 · Answer 4 · answered Mar 17 '20 at 14:46

I solved the problem just use in the correct order first key then cert. And it worked for me.

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key 

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert

score 1 · Accepted Answer · answered Aug 22 '21 at 19:23

Thomas' comment put me on the right track.

Cause of the problem: I failed to realize that /etc/ssl/certs/roenix.ca.cert.crt is actually a symlink to /usr/local/share/ca-certificates/roenix.ca.cert.crt.

Solution: Set correct permissions on the actual cert file in /usr/local/share/ca-certificates.

Also read the other comments and learned a lot! Thanks all.

score 0 · Answer 6 · answered Aug 21 '21 at 09:11

0

Problem could also be that SELinux is preventing slapd from read access to the .key and .cert file. Please add policy for the files, dont turn SELinux off.

Having problem with SELinux. Use tool setroubleshoot.

answered Aug 21 '21 at 09:11

Marlar

1

score 0 · Answer 7 · answered Apr 12 '23 at 10:42

To help others like me, this error can also be triggered if you have a key with a passphrase. This seems trivial, but easily forgotten. And of course, the error message doesn't help.

To remove the passphrase, you can use:

openssl rsa -in my.key -out my_no_password.key

OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)

7 Answers7