Thank you. That did the trick. many thanks Howard!
Stefan Bauer wrote:
> Hi,
>
> the internet is full of "tips" to solve the above problem. I'm pulling my hairs and can not find the real issue since days. any help is greatly appreciated.
Do the change as a single operation:
dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem
>
> --------- enable_ssl.ldiff ---------------
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ldap/key.key
>
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ldap/cert.pem
> --------- enable_ssl.ldiff ---------------
>
> # ls -alh /etc/ldap/cert.pem /etc/ldap/key.key
> -rwxrwxrwx 1 root root 1,1K Mär 1 21:43 /etc/ldap/cert.pem
> -rwxrwxrwx 1 root root 1,7K Mär 1 21:21 /etc/ldap/key.key
>
> # openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5
> (stdin)= 45b4165df200817a20857fb453acd33e
> # openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5
> (stdin)= 45b4165df200817a20857fb453acd33e
>
> # head -n2 /etc/ldap/cert.pem
> -----BEGIN CERTIFICATE-----
> MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+ TANBgkqhkiG9w0BAQsFADBu
> # head -n2 /etc/ldap/key.key
> -----BEGIN RSA PRIVATE KEY-----
> MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCsh ylu0
>
>
> ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
>
> # ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
> ldap_initialize( ldapi:///??base )
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> add olcTLSCertificateKeyFile:
> /etc/ldap/key.key
> modifying entry "cn=config"
> ldap_modify: Other (e.g., implementation specific) error (80)
>
> I can however modify other values like /olcLogLevel/ without problems.
>
> Debian 10 latest:
> 2.4.47+dfsg-3+deb10u6
> # slapd -VVV
> @(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $
> Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org <mailto:pkg-openldap-devel@lists.alioth.debian.org >>
>
> Included static backends:
> config
> ldif
>
> Stefan.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/