Le 25/02/2015 15:13, Philip Colmer a écrit :
I'm getting a generic error 80 when I try to use ldapmodify to
configure my LDAP server to use a SSL certificate. Here is the LDIF
I'm using:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
Seems to me that you have switched cert and key ;-)

and the command:

ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W

Running logging at the highest level doesn't seem to give me much to go on ...

Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=10 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=11 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1
do_modify: dn (cn=config)
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal:
<cn=config>, <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD
attr=olcTLSCACertificateFile olcTLSCertificateFile
olcTLSCertificateKeyFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed:
granted to database root
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry
(cn=config), objectClass "olcGlobal"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"objectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConfigFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConfigDir"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcArgsFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcAttributeOptions"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcAuthzPolicy"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConcurrency"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConnMaxPending"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConnMaxPendingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcGentleHUP"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIdleTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrIfMaxLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrIfMinLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrAnyLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrAnyStep"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexIntLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcListenerThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcLocalSSF"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcLogLevel"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcPidFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcReadOnly"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcReverseLookup"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSaslSecProps"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSockbufMaxIncoming"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSockbufMaxIncomingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSVerifyClient"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSProtocolMin"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcToolThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcWriteTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"structuralObjectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"creatorsName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"createTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCACertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCertificateKeyFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"modifiersName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"modifyTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
conn=1001 op=1 p=3
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
err=80 matched="" text=""
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response:
msgid=2 tag=103 err=80
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT
tag=103 err=80 text=
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]:  14r

I've checked that the user that slapd is running under can read the three files.

Any suggestions or clarification on what I've overlooked?

Thanks.

Regards

Philip



-- 
Yann Cézard - administrateur systèmes serveurs
Direction du Numérique - Infrastructures -   http://dn.univ-pau.fr
Université de Pau et des pays de l'Adour -  http://www.univ-pau.fr
bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
Téléphone : +33 (0)5 59 40 77 94