10

I followed RHEL7: Configure a LDAP directory service for user connection to configure openldap on CentOS Linux release 7.

First I create the /etc/openldap/changes.ldif file and paste the content with replacing the password of course with the previously created password.

Then I get to send the new configuration to the slapd server using the command 

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif

Once I do that I get the following error:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

All the files are readable for the user slapd is running as. What's wrong there? I couldn't find anything useful to feed SEARCHENGINE with.

It's been a while that I've been looking for a solution but at the moment all what I found is two people

Having the same problem and asking the same question but no answers.

Greenonline
  • 1,330
  • 8
  • 23
  • 31
D. Nicolas
  • 129
  • 1
  • 1
  • 6
  • Stack Overflow is a site for programming and development questions. You should probably use another site on the [Stack Exchange network](https://stackexchange.com/sites) for this question. Also see [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. – jww Nov 15 '19 at 12:30

1 Answers1

16

In my specific case, I was having this error and I literally spent days scouring the Web for an answer. It turned out in my case that the order matters. The correct order was:

  1. olcTLSCACertificateFile,
  2. olcTLSCertificateKeyFile,
  3. olcTLSCertificateFile.

Until the order of the attributes in my file was the one above, I was having that dreaded and unhelpful "ldap_modify: Other (e.g., implementation specific) error (80)" message.

I tried to detect permission errors using sudo -u ldap nano <path to each file>. All was fine for each file.

nano revealed that the files were in DOS format: I converted them to have Linux line endings, to no avail.

In all I read, there was a question as to whether the certificate file was in the proper PEM format. I could not check that, maybe that it's also a cause for this error.

The only thing that worked was commenting out some lines in the file until I saw changes after running ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q -s base.

Note also that I "compressed" the changes in my file to a single change. What I mean with "compressed" is that instead of having three changes, I had only one: instead of this (I'm using Ansible, so this is actually a Jinja2 template)

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: {{ cert_parentdir_ca_chain }}/{{ cert_filename_ca_chain }}

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ cert_parentdir_wildcard_cert }}/{{ cert_filename_wildcard_cert }}

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ ldap_cert_parentdir_key }}/{{ cert_filename_key }}

I had this

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: {{ cert_parentdir_ca_chain }}/{{ cert_filename_ca_chain }}
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ ldap_cert_parentdir_key }}/{{ cert_filename_key }}
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ cert_parentdir_wildcard_cert }}/{{ cert_filename_wildcard_cert }}

HTH.

AbVog
  • 1,435
  • 22
  • 35
  • I solved the problem just use in the correct order first key then cert. And it worked for me. dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert – Kartik Agarwal Mar 17 '20 at 14:47
  • 1
    I am unable to get it to work. Itried re-ordering the keys, as advied (CACert, Key, Cert), but no dice....still have the same error. – Mark J. Bobak Sep 02 '20 at 18:53
  • 1
    @MarkJ.Bobak: I suggest you read my post again and maybe, follow the links in the question. A likely cause to me, if you are certain you reordered things and it still doesn't work, is a filesystem permission issue. Also, try using a more verbose logging setting. – AbVog Sep 04 '20 at 06:27
  • 1
    For me it was permission issues on the certs causing the error `chown openldap:certbot /etc/letsencrypt/ -R` The order seems to not matter in my setup – mRyan Jul 02 '21 at 13:52
  • 1
    Similar to @mRyan, I had permissions issues with the certificate key. Specifically, openldap needs to be able to read it. In my case I changed it's group to openldap and set it's permission to 640 per https://ubuntu.com/server/docs/service-ldap-with-tls – R Schultz Dec 11 '21 at 19:17
  • Using the correct order did not work for me to modify all 3 entries at once. What I had to do was do a delete operation on olcTLSCertificateKeyFile, then do a separate add operation to add it with the new value. – em_bo Jul 18 '22 at 16:24