Hi,
the internet is full of "tips" to solve the above problem. I'm pulling my hairs and can not find the real issue since days. any help is greatly appreciated.
--------- enable_ssl.ldiff --------------- dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/key.key
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert.pem --------- enable_ssl.ldiff ---------------
# ls -alh /etc/ldap/cert.pem /etc/ldap/key.key -rwxrwxrwx 1 root root 1,1K Mär 1 21:43 /etc/ldap/cert.pem -rwxrwxrwx 1 root root 1,7K Mär 1 21:21 /etc/ldap/key.key
# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e # openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e
# head -n2 /etc/ldap/cert.pem -----BEGIN CERTIFICATE----- MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu # head -n2 /etc/ldap/key.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
# ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcTLSCertificateKeyFile: /etc/ldap/key.key modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
I can however modify other values like *olcLogLevel* without problems.
Debian 10 latest: 2.4.47+dfsg-3+deb10u6 # slapd -VVV @(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Included static backends: config ldif
Stefan.
Stefan Bauer wrote:
Hi,
the internet is full of "tips" to solve the above problem. I'm pulling my hairs and can not find the real issue since days. any help is greatly appreciated.
Do the change as a single operation:
dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/key.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert.pem
--------- enable_ssl.ldiff --------------- dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/key.key
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert.pem --------- enable_ssl.ldiff ---------------
# ls -alh /etc/ldap/cert.pem /etc/ldap/key.key -rwxrwxrwx 1 root root 1,1K Mär 1 21:43 /etc/ldap/cert.pem -rwxrwxrwx 1 root root 1,7K Mär 1 21:21 /etc/ldap/key.key
# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e # openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e
# head -n2 /etc/ldap/cert.pem -----BEGIN CERTIFICATE----- MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu # head -n2 /etc/ldap/key.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
# ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcTLSCertificateKeyFile: /etc/ldap/key.key modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
I can however modify other values like /olcLogLevel/ without problems.
Debian 10 latest: 2.4.47+dfsg-3+deb10u6 # slapd -VVV @(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $ Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org mailto:pkg-openldap-devel@lists.alioth.debian.org>
Included static backends: config ldif
Stefan.
Thank you. That did the trick. many thanks Howard!
Stefan
Am Freitag, 5. März 2021 schrieb Howard Chu hyc@symas.com:
Stefan Bauer wrote:
Hi,
the internet is full of "tips" to solve the above problem. I'm pulling
my hairs and can not find the real issue since days. any help is greatly appreciated.
Do the change as a single operation:
dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/key.key
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert.pem
--------- enable_ssl.ldiff --------------- dn: cn=config changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/key.key
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/cert.pem --------- enable_ssl.ldiff ---------------
# ls -alh /etc/ldap/cert.pem /etc/ldap/key.key -rwxrwxrwx 1 root root 1,1K Mär 1 21:43 /etc/ldap/cert.pem -rwxrwxrwx 1 root root 1,7K Mär 1 21:21 /etc/ldap/key.key
# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e # openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5 (stdin)= 45b4165df200817a20857fb453acd33e
# head -n2 /etc/ldap/cert.pem -----BEGIN CERTIFICATE----- MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu # head -n2 /etc/ldap/key.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
# ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcTLSCertificateKeyFile: /etc/ldap/key.key modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
I can however modify other values like /olcLogLevel/ without problems.
Debian 10 latest: 2.4.47+dfsg-3+deb10u6 # slapd -VVV @(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $ Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org
mailto:pkg-openldap-devel@lists.alioth.debian.org>
Included static backends: config ldif
Stefan.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Howard Chu -
Stefan Bauer