Thank you. That did the trick. many thanks Howard!

Stefan

Am Freitag, 5. März 2021 schrieb Howard Chu <hyc@symas.com>:
Stefan Bauer wrote:
> Hi,
>
> the internet is full of "tips" to solve the above problem. I'm pulling my hairs and can not find the real issue since days. any help is greatly appreciated.

Do the change as a single operation:

dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem


>
> --------- enable_ssl.ldiff ---------------
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ldap/key.key
>
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ldap/cert.pem
> --------- enable_ssl.ldiff ---------------
>
> # ls -alh /etc/ldap/cert.pem /etc/ldap/key.key
> -rwxrwxrwx 1 root root 1,1K Mär  1 21:43 /etc/ldap/cert.pem
> -rwxrwxrwx 1 root root 1,7K Mär  1 21:21 /etc/ldap/key.key
>
> # openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5
> (stdin)= 45b4165df200817a20857fb453acd33e
> # openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5
> (stdin)= 45b4165df200817a20857fb453acd33e
>
> # head -n2 /etc/ldap/cert.pem
> -----BEGIN CERTIFICATE-----
> MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu
> # head -n2 /etc/ldap/key.key
> -----BEGIN RSA PRIVATE KEY-----
> MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
>
>
> ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif  -v
>
> # ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif  -v
> ldap_initialize( ldapi:///??base )
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> add olcTLSCertificateKeyFile:
> /etc/ldap/key.key
> modifying entry "cn=config"
> ldap_modify: Other (e.g., implementation specific) error (80)
>
> I can however modify other values like /olcLogLevel/ without problems.
>
> Debian 10 latest:
> 2.4.47+dfsg-3+deb10u6
> # slapd -VVV
> @(#) $OpenLDAP: slapd  (Feb 14 2021 18:32:34) $
> Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org <mailto:pkg-openldap-devel@lists.alioth.debian.org>>
>
> Included static backends:
>     config
>     ldif
>
> Stefan.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/