Hello Philip,
It is a self-signed certificate ?
If yes, you must remove the line olcTLSCACertificateFile.
For more information please consult my how to. http://www.cyrill-gremaud.ch/linux/howto-install-openldap-2-4-server/
Best regards
Cyrill gremaud
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Philip Colmer Sent: mercredi 25 février 2015 15:13 To: openldap-technical@openldap.org Subject: Can't get certificates installed on new server
I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip