Hello dear community,
I'm trying to enable LDAPS. I don't understanrd what is cause error. Is anybody have an idea please? OpenLDAP is 2.5.13, on Debian 12. Here is our certificate chain definition:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem -
Request is: root@bea-chicago:/etc# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/01-SSL.ldif
Result: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
Here are slapd logs:
cago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.094605+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.094773+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.094922+01:00 bea-chicago slapd[63531]: slap_listener_activate(10): 2023-12-13T08:30:42.095070+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.095216+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.095352+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 busy 2023-12-13T08:30:42.095489+01:00 bea-chicago slapd[63531]: >>> slap_listener(ldapi:///) 2023-12-13T08:30:42.095658+01:00 bea-chicago slapd[63531]: daemon: accept() = 12 2023-12-13T08:30:42.095790+01:00 bea-chicago slapd[63531]: daemon: listen=10, new connection on 12 2023-12-13T08:30:42.095927+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.096046+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.096165+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.096284+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.096424+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.096545+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.096701+01:00 bea-chicago slapd[63531]: daemon: added 12r (active) listener=(nil) 2023-12-13T08:30:42.096832+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.096981+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.097099+01:00 bea-chicago slapd[63531]: 12r 2023-12-13T08:30:42.097227+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.097335+01:00 bea-chicago slapd[63531]: daemon: read active on 12 2023-12-13T08:30:42.097503+01:00 bea-chicago slapd[63531]: conn=1001 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) 2023-12-13T08:30:42.097727+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.097845+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.098084+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.098282+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.098501+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.098688+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.098848+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.099006+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.099205+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.099396+01:00 bea-chicago slapd[63531]: connection_get(12) 2023-12-13T08:30:42.099620+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001 2023-12-13T08:30:42.099824+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001 2023-12-13T08:30:42.100038+01:00 bea-chicago slapd[63531]: op tag 0x60, time 1702452642 2023-12-13T08:30:42.100268+01:00 bea-chicago slapd[63531]: conn=1001 op=0 do_bind 2023-12-13T08:30:42.100499+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.100687+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.100882+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.101076+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.101292+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.101503+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.101781+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <> 2023-12-13T08:30:42.102002+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <>, <> 2023-12-13T08:30:42.102205+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="" method=163 2023-12-13T08:30:42.102431+01:00 bea-chicago slapd[63531]: do_bind: dn () SASL mech EXTERNAL 2023-12-13T08:30:42.102525+01:00 bea-chicago slapd[63531]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 2023-12-13T08:30:42.102620+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.102709+01:00 bea-chicago slapd[63531]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] 2023-12-13T08:30:42.102817+01:00 bea-chicago slapd[63531]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN 2023-12-13T08:30:42.102908+01:00 bea-chicago slapd[63531]: <==slap_sasl2dn: Converted SASL name to <nothing> 2023-12-13T08:30:42.103004+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103121+01:00 bea-chicago slapd[63531]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103220+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103322+01:00 bea-chicago slapd[63531]: SASL Authorize [conn=1001]: proxy authorization allowed authzDN="" 2023-12-13T08:30:42.103421+01:00 bea-chicago slapd[63531]: send_ldap_sasl: err=0 len=-1 2023-12-13T08:30:42.103527+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 2023-12-13T08:30:42.103619+01:00 bea-chicago slapd[63531]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" bind_ssf=0 2023-12-13T08:30:42.103713+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=1 tag=97 err=0 2023-12-13T08:30:42.103804+01:00 bea-chicago slapd[63531]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000061 etime=0.000517 text= 2023-12-13T08:30:42.103913+01:00 bea-chicago slapd[63531]: <== slap_sasl_bind: rc=0 2023-12-13T08:30:42.104010+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.104102+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.104185+01:00 bea-chicago slapd[63531]: 12r 2023-12-13T08:30:42.104268+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.104352+01:00 bea-chicago slapd[63531]: daemon: read active on 12 2023-12-13T08:30:42.104435+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.104518+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.104600+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.104683+01:00 bea-chicago slapd[63531]: connection_get(12) 2023-12-13T08:30:42.104766+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001 2023-12-13T08:30:42.104851+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001 2023-12-13T08:30:42.104941+01:00 bea-chicago slapd[63531]: op tag 0x66, time 1702452642 2023-12-13T08:30:42.105037+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify 2023-12-13T08:30:42.105129+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify: dn (cn=config) 2023-12-13T08:30:42.105223+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <cn=config> 2023-12-13T08:30:42.105316+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.105401+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.105486+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.105587+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <cn=config>, <cn=config> 2023-12-13T08:30:42.105675+01:00 bea-chicago slapd[63531]: conn=1001 op=1 modifications: 2023-12-13T08:30:42.105770+01:00 bea-chicago slapd[63531]: #011add: olcTLSCACertificateFile 2023-12-13T08:30:42.105862+01:00 bea-chicago slapd[63531]: #011#011one value, length 33 2023-12-13T08:30:42.105951+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile 2023-12-13T08:30:42.106034+01:00 bea-chicago slapd[63531]: #011#011one value, length 37 2023-12-13T08:30:42.106124+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateFile 2023-12-13T08:30:42.106219+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.106303+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.106387+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.106469+01:00 bea-chicago slapd[63531]: #011#011one value, length 35 2023-12-13T08:30:42.106557+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD dn="cn=config" 2023-12-13T08:30:42.106644+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateKeyFile olcTLSCertificateFile 2023-12-13T08:30:42.106737+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCACertificateFile) 2023-12-13T08:30:42.106823+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested 2023-12-13T08:30:42.106918+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCACertificateFile 2023-12-13T08:30:42.107007+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested 2023-12-13T08:30:42.107095+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.107182+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.107283+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.107374+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.107457+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.107543+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.107636+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) 2023-12-13T08:30:42.107724+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested 2023-12-13T08:30:42.107812+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateKeyFile 2023-12-13T08:30:42.107898+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested 2023-12-13T08:30:42.107992+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.108074+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.108157+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.108240+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.108323+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.108398+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.108494+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateFile) 2023-12-13T08:30:42.108589+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested 2023-12-13T08:30:42.108678+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateFile 2023-12-13T08:30:42.108762+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested 2023-12-13T08:30:42.108852+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.108936+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.109014+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.109090+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.109172+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.109253+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.109337+01:00 bea-chicago slapd[63531]: slap_get_csn: conn=1001 op=1 generated new csn=20231213073042.095886Z#000000#000#000000 manage=1 2023-12-13T08:30:42.109424+01:00 bea-chicago slapd[63531]: slap_queue_csn: queueing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000 2023-12-13T08:30:42.109535+01:00 bea-chicago slapd[63531]: oc_check_required entry (cn=config), objectClass "olcGlobal" 2023-12-13T08:30:42.109647+01:00 bea-chicago slapd[63531]: oc_check_allowed type "objectClass" 2023-12-13T08:30:42.109739+01:00 bea-chicago slapd[63531]: oc_check_allowed type "cn" 2023-12-13T08:30:42.109829+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcArgsFile" 2023-12-13T08:30:42.109917+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcLogLevel" 2023-12-13T08:30:42.110080+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcPidFile" 2023-12-13T08:30:42.110173+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcToolThreads" 2023-12-13T08:30:42.110266+01:00 bea-chicago slapd[63531]: oc_check_allowed type "structuralObjectClass" 2023-12-13T08:30:42.110367+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryUUID" 2023-12-13T08:30:42.110464+01:00 bea-chicago slapd[63531]: oc_check_allowed type "creatorsName" 2023-12-13T08:30:42.110541+01:00 bea-chicago slapd[63531]: oc_check_allowed type "createTimestamp" 2023-12-13T08:30:42.110617+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCACertificateFile" 2023-12-13T08:30:42.110707+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateKeyFile" 2023-12-13T08:30:42.110793+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateFile" 2023-12-13T08:30:42.110875+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryCSN" 2023-12-13T08:30:42.110972+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifiersName" 2023-12-13T08:30:42.111058+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifyTimestamp" 2023-12-13T08:30:42.111144+01:00 bea-chicago slapd[63531]: send_ldap_result: conn=1001 op=1 p=3 2023-12-13T08:30:42.111233+01:00 bea-chicago slapd[63531]: send_ldap_result: err=80 matched="" text="" 2023-12-13T08:30:42.111321+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=2 tag=103 err=80 2023-12-13T08:30:42.111407+01:00 bea-chicago slapd[63531]: conn=1001 op=1 RESULT tag=103 err=80 qtime=0.000070 etime=0.002380 text= 2023-12-13T08:30:42.111498+01:00 bea-chicago slapd[63531]: slap_graduate_commit_csn: removing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000 2023-12-13T08:30:42.111590+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
Best regards,
Jean-Luc
Am 13.12.23 um 08:51 schrieb Jean-Luc Chandezon:
Hello dear community,
I’m trying to enable LDAPS. I don’t understanrd what is cause error. Is anybody have an idea please?
OpenLDAP is 2.5.13, on Debian 12.
Here is our certificate chain definition:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem
Request is:
root@bea-chicago:/etc# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/01-SSL.ldif
Result:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Here are slapd logs:
cago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.094605+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.094773+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.094922+01:00 bea-chicago slapd[63531]: slap_listener_activate(10):
2023-12-13T08:30:42.095070+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.095216+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.095352+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 busy
2023-12-13T08:30:42.095489+01:00 bea-chicago slapd[63531]: >>> slap_listener(ldapi:///)
2023-12-13T08:30:42.095658+01:00 bea-chicago slapd[63531]: daemon: accept() = 12
2023-12-13T08:30:42.095790+01:00 bea-chicago slapd[63531]: daemon: listen=10, new connection on 12
2023-12-13T08:30:42.095927+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.096046+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.096165+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.096284+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.096424+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.096545+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.096701+01:00 bea-chicago slapd[63531]: daemon: added 12r (active) listener=(nil)
2023-12-13T08:30:42.096832+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.096981+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.097099+01:00 bea-chicago slapd[63531]: 12r
2023-12-13T08:30:42.097227+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.097335+01:00 bea-chicago slapd[63531]: daemon: read active on 12
2023-12-13T08:30:42.097503+01:00 bea-chicago slapd[63531]: conn=1001 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
2023-12-13T08:30:42.097727+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.097845+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.098084+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.098282+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.098501+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.098688+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.098848+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.099006+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.099205+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.099396+01:00 bea-chicago slapd[63531]: connection_get(12)
2023-12-13T08:30:42.099620+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001
2023-12-13T08:30:42.099824+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001
2023-12-13T08:30:42.100038+01:00 bea-chicago slapd[63531]: op tag 0x60, time 1702452642
2023-12-13T08:30:42.100268+01:00 bea-chicago slapd[63531]: conn=1001 op=0 do_bind
2023-12-13T08:30:42.100499+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.100687+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.100882+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.101076+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.101292+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.101503+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.101781+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <>
2023-12-13T08:30:42.102002+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <>, <>
2023-12-13T08:30:42.102205+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="" method=163
2023-12-13T08:30:42.102431+01:00 bea-chicago slapd[63531]: do_bind: dn () SASL mech EXTERNAL
2023-12-13T08:30:42.102525+01:00 bea-chicago slapd[63531]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
2023-12-13T08:30:42.102620+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
2023-12-13T08:30:42.102709+01:00 bea-chicago slapd[63531]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]
2023-12-13T08:30:42.102817+01:00 bea-chicago slapd[63531]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
2023-12-13T08:30:42.102908+01:00 bea-chicago slapd[63531]: <==slap_sasl2dn: Converted SASL name to <nothing>
2023-12-13T08:30:42.103004+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
2023-12-13T08:30:42.103121+01:00 bea-chicago slapd[63531]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
2023-12-13T08:30:42.103220+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
2023-12-13T08:30:42.103322+01:00 bea-chicago slapd[63531]: SASL Authorize [conn=1001]: proxy authorization allowed authzDN=""
2023-12-13T08:30:42.103421+01:00 bea-chicago slapd[63531]: send_ldap_sasl: err=0 len=-1
2023-12-13T08:30:42.103527+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
2023-12-13T08:30:42.103619+01:00 bea-chicago slapd[63531]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" bind_ssf=0
2023-12-13T08:30:42.103713+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=1 tag=97 err=0
2023-12-13T08:30:42.103804+01:00 bea-chicago slapd[63531]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000061 etime=0.000517 text=
2023-12-13T08:30:42.103913+01:00 bea-chicago slapd[63531]: <== slap_sasl_bind: rc=0
2023-12-13T08:30:42.104010+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.104102+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.104185+01:00 bea-chicago slapd[63531]: 12r
2023-12-13T08:30:42.104268+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.104352+01:00 bea-chicago slapd[63531]: daemon: read active on 12
2023-12-13T08:30:42.104435+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.104518+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.104600+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.104683+01:00 bea-chicago slapd[63531]: connection_get(12)
2023-12-13T08:30:42.104766+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001
2023-12-13T08:30:42.104851+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001
2023-12-13T08:30:42.104941+01:00 bea-chicago slapd[63531]: op tag 0x66, time 1702452642
2023-12-13T08:30:42.105037+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify
2023-12-13T08:30:42.105129+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify: dn (cn=config)
2023-12-13T08:30:42.105223+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <cn=config>
2023-12-13T08:30:42.105316+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
2023-12-13T08:30:42.105401+01:00 bea-chicago slapd[63531]: daemon: activity on:
2023-12-13T08:30:42.105486+01:00 bea-chicago slapd[63531]:
2023-12-13T08:30:42.105587+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <cn=config>, <cn=config>
2023-12-13T08:30:42.105675+01:00 bea-chicago slapd[63531]: conn=1001 op=1 modifications:
2023-12-13T08:30:42.105770+01:00 bea-chicago slapd[63531]: #011add: olcTLSCACertificateFile
2023-12-13T08:30:42.105862+01:00 bea-chicago slapd[63531]: #011#011one value, length 33
2023-12-13T08:30:42.105951+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile
2023-12-13T08:30:42.106034+01:00 bea-chicago slapd[63531]: #011#011one value, length 37
2023-12-13T08:30:42.106124+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateFile
2023-12-13T08:30:42.106219+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero
2023-12-13T08:30:42.106303+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero
2023-12-13T08:30:42.106387+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero
2023-12-13T08:30:42.106469+01:00 bea-chicago slapd[63531]: #011#011one value, length 35
2023-12-13T08:30:42.106557+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD dn="cn=config"
2023-12-13T08:30:42.106644+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateKeyFile olcTLSCertificateFile
2023-12-13T08:30:42.106737+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCACertificateFile)
2023-12-13T08:30:42.106823+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested
2023-12-13T08:30:42.106918+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCACertificateFile
2023-12-13T08:30:42.107007+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested
2023-12-13T08:30:42.107095+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
2023-12-13T08:30:42.107182+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2023-12-13T08:30:42.107283+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)
2023-12-13T08:30:42.107374+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd)
2023-12-13T08:30:42.107457+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.107543+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.107636+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateKeyFile)
2023-12-13T08:30:42.107724+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested
2023-12-13T08:30:42.107812+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateKeyFile
2023-12-13T08:30:42.107898+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested
2023-12-13T08:30:42.107992+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
2023-12-13T08:30:42.108074+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2023-12-13T08:30:42.108157+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)
2023-12-13T08:30:42.108240+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd)
2023-12-13T08:30:42.108323+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.108398+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.108494+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateFile)
2023-12-13T08:30:42.108589+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested
2023-12-13T08:30:42.108678+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateFile
2023-12-13T08:30:42.108762+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested
2023-12-13T08:30:42.108852+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
2023-12-13T08:30:42.108936+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2023-12-13T08:30:42.109014+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)
2023-12-13T08:30:42.109090+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd)
2023-12-13T08:30:42.109172+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.109253+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd)
2023-12-13T08:30:42.109337+01:00 bea-chicago slapd[63531]: slap_get_csn: conn=1001 op=1 generated new csn=20231213073042.095886Z#000000#000#000000 manage=1
2023-12-13T08:30:42.109424+01:00 bea-chicago slapd[63531]: slap_queue_csn: queueing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000
2023-12-13T08:30:42.109535+01:00 bea-chicago slapd[63531]: oc_check_required entry (cn=config), objectClass "olcGlobal"
2023-12-13T08:30:42.109647+01:00 bea-chicago slapd[63531]: oc_check_allowed type "objectClass"
2023-12-13T08:30:42.109739+01:00 bea-chicago slapd[63531]: oc_check_allowed type "cn"
2023-12-13T08:30:42.109829+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcArgsFile"
2023-12-13T08:30:42.109917+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcLogLevel"
2023-12-13T08:30:42.110080+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcPidFile"
2023-12-13T08:30:42.110173+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcToolThreads"
2023-12-13T08:30:42.110266+01:00 bea-chicago slapd[63531]: oc_check_allowed type "structuralObjectClass"
2023-12-13T08:30:42.110367+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryUUID"
2023-12-13T08:30:42.110464+01:00 bea-chicago slapd[63531]: oc_check_allowed type "creatorsName"
2023-12-13T08:30:42.110541+01:00 bea-chicago slapd[63531]: oc_check_allowed type "createTimestamp"
2023-12-13T08:30:42.110617+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCACertificateFile"
2023-12-13T08:30:42.110707+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateKeyFile"
2023-12-13T08:30:42.110793+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateFile"
2023-12-13T08:30:42.110875+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryCSN"
2023-12-13T08:30:42.110972+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifiersName"
2023-12-13T08:30:42.111058+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifyTimestamp"
2023-12-13T08:30:42.111144+01:00 bea-chicago slapd[63531]: send_ldap_result: conn=1001 op=1 p=3
2023-12-13T08:30:42.111233+01:00 bea-chicago slapd[63531]: send_ldap_result: err=80 matched="" text=""
2023-12-13T08:30:42.111321+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=2 tag=103 err=80
2023-12-13T08:30:42.111407+01:00 bea-chicago slapd[63531]: conn=1001 op=1 RESULT tag=103 err=80 qtime=0.000070 etime=0.002380 text=
2023-12-13T08:30:42.111498+01:00 bea-chicago slapd[63531]: slap_graduate_commit_csn: removing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000
2023-12-13T08:30:42.111590+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor
Best regards,
Jean-Luc
You are missing "changetype: modify"
this is how it should look ------------- dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /opt/symas/etc/openldap/example-net-cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/symas/etc/openldap/example-net-key.pem - add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/symas/etc/openldap/cacert.pem
------------- Stefan
You are missing "changetype: modify"
this is how it should look
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /opt/symas/etc/openldap/example-net-cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/symas/etc/openldap/example-net-key.pem
add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/symas/etc/openldap/cacert.pem
Stefan
Thank you Stefan! Sorry for the mistake due to last changes.
Our ldf file content is:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem
with the request: ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/01-SSL.ldif
result: modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
Any idea?
Please find log content bellow
023-12-13T14:26:31.500282+01:00 bea-chicago slapd[63531]: #011#011one value, length 33 2023-12-13T14:26:31.500380+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile 2023-12-13T14:26:31.500452+01:00 bea-chicago slapd[63531]: #011#011one value, length 37 2023-12-13T14:26:31.500528+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateFile 2023-12-13T14:26:31.500603+01:00 bea-chicago slapd[63531]: #011#011one value, length 35 2023-12-13T14:26:31.500676+01:00 bea-chicago slapd[63531]: conn=1007 op=1 MOD dn="cn=config" 2023-12-13T14:26:31.500748+01:00 bea-chicago slapd[63531]: conn=1007 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateKeyFile olcTLSCertificateFile 2023-12-13T14:26:31.500823+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCACertificateFile) 2023-12-13T14:26:31.500884+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested 2023-12-13T14:26:31.500960+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCACertificateFile 2023-12-13T14:26:31.501039+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested 2023-12-13T14:26:31.501110+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.501191+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.501270+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.501338+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.501394+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.501477+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.501563+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) 2023-12-13T14:26:31.501638+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested 2023-12-13T14:26:31.501710+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateKeyFile 2023-12-13T14:26:31.501797+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested 2023-12-13T14:26:31.501877+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.501965+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.502028+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.502087+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.502151+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502210+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502271+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateFile) 2023-12-13T14:26:31.502344+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested 2023-12-13T14:26:31.502420+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateFile 2023-12-13T14:26:31.502483+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested 2023-12-13T14:26:31.502559+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.502621+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.502680+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.502751+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.502813+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502867+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502928+01:00 bea-chicago slapd[63531]: slap_get_csn: conn=1007 op=1 generated new csn=20231213132631.497094Z#000000#000#000000 manage=1 2023-12-13T14:26:31.502991+01:00 bea-chicago slapd[63531]: slap_queue_csn: queueing 0x7f57e0000bd0 20231213132631.497094Z#000000#000#000000 2023-12-13T14:26:31.503060+01:00 bea-chicago slapd[63531]: oc_check_required entry (cn=config), objectClass "olcGlobal" 2023-12-13T14:26:31.503136+01:00 bea-chicago slapd[63531]: oc_check_allowed type "objectClass" 2023-12-13T14:26:31.503222+01:00 bea-chicago slapd[63531]: oc_check_allowed type "cn" 2023-12-13T14:26:31.503286+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcArgsFile" 2023-12-13T14:26:31.503353+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcLogLevel" 2023-12-13T14:26:31.503434+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcPidFile" 2023-12-13T14:26:31.503498+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcToolThreads" 2023-12-13T14:26:31.503558+01:00 bea-chicago slapd[63531]: oc_check_allowed type "structuralObjectClass" 2023-12-13T14:26:31.503622+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryUUID" 2023-12-13T14:26:31.503673+01:00 bea-chicago slapd[63531]: oc_check_allowed type "creatorsName" 2023-12-13T14:26:31.503753+01:00 bea-chicago slapd[63531]: oc_check_allowed type "createTimestamp" 2023-12-13T14:26:31.503830+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCACertificateFile" 2023-12-13T14:26:31.503912+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateKeyFile" 2023-12-13T14:26:31.503982+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateFile" 2023-12-13T14:26:31.504056+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryCSN" 2023-12-13T14:26:31.504121+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifiersName" 2023-12-13T14:26:31.504183+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifyTimestamp" 2023-12-13T14:26:31.504246+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T14:26:31.504301+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T14:26:31.504366+01:00 bea-chicago slapd[63531]: 2023-12-13T14:26:31.504420+01:00 bea-chicago slapd[63531]: send_ldap_result: conn=1007 op=1 p=3 2023-12-13T14:26:31.504491+01:00 bea-chicago slapd[63531]: send_ldap_result: err=80 matched="" text="" 2023-12-13T14:26:31.504557+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=2 tag=103 err=80
Syntax error? Open your file with vi and do a "set: list" and you will see additional blanks and tabstops.
Am 13.12.23 um 14:28 schrieb Jean-Luc Chandezon:
You are missing "changetype: modify"
this is how it should look
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /opt/symas/etc/openldap/example-net-cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/symas/etc/openldap/example-net-key.pem
add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/symas/etc/openldap/cacert.pem
Stefan
Thank you Stefan! Sorry for the mistake due to last changes.
Our ldf file content is:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem
with the request: ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/01-SSL.ldif
result: modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
Any idea?
Please find log content bellow
023-12-13T14:26:31.500282+01:00 bea-chicago slapd[63531]: #011#011one value, length 33 2023-12-13T14:26:31.500380+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile 2023-12-13T14:26:31.500452+01:00 bea-chicago slapd[63531]: #011#011one value, length 37 2023-12-13T14:26:31.500528+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateFile 2023-12-13T14:26:31.500603+01:00 bea-chicago slapd[63531]: #011#011one value, length 35 2023-12-13T14:26:31.500676+01:00 bea-chicago slapd[63531]: conn=1007 op=1 MOD dn="cn=config" 2023-12-13T14:26:31.500748+01:00 bea-chicago slapd[63531]: conn=1007 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateKeyFile olcTLSCertificateFile 2023-12-13T14:26:31.500823+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCACertificateFile) 2023-12-13T14:26:31.500884+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested 2023-12-13T14:26:31.500960+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCACertificateFile 2023-12-13T14:26:31.501039+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested 2023-12-13T14:26:31.501110+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.501191+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.501270+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.501338+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.501394+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.501477+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.501563+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) 2023-12-13T14:26:31.501638+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested 2023-12-13T14:26:31.501710+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateKeyFile 2023-12-13T14:26:31.501797+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested 2023-12-13T14:26:31.501877+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.501965+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.502028+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.502087+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.502151+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502210+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502271+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateFile) 2023-12-13T14:26:31.502344+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested 2023-12-13T14:26:31.502420+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateFile 2023-12-13T14:26:31.502483+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested 2023-12-13T14:26:31.502559+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T14:26:31.502621+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T14:26:31.502680+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T14:26:31.502751+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T14:26:31.502813+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502867+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T14:26:31.502928+01:00 bea-chicago slapd[63531]: slap_get_csn: conn=1007 op=1 generated new csn=20231213132631.497094Z#000000#000#000000 manage=1 2023-12-13T14:26:31.502991+01:00 bea-chicago slapd[63531]: slap_queue_csn: queueing 0x7f57e0000bd0 20231213132631.497094Z#000000#000#000000 2023-12-13T14:26:31.503060+01:00 bea-chicago slapd[63531]: oc_check_required entry (cn=config), objectClass "olcGlobal" 2023-12-13T14:26:31.503136+01:00 bea-chicago slapd[63531]: oc_check_allowed type "objectClass" 2023-12-13T14:26:31.503222+01:00 bea-chicago slapd[63531]: oc_check_allowed type "cn" 2023-12-13T14:26:31.503286+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcArgsFile" 2023-12-13T14:26:31.503353+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcLogLevel" 2023-12-13T14:26:31.503434+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcPidFile" 2023-12-13T14:26:31.503498+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcToolThreads" 2023-12-13T14:26:31.503558+01:00 bea-chicago slapd[63531]: oc_check_allowed type "structuralObjectClass" 2023-12-13T14:26:31.503622+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryUUID" 2023-12-13T14:26:31.503673+01:00 bea-chicago slapd[63531]: oc_check_allowed type "creatorsName" 2023-12-13T14:26:31.503753+01:00 bea-chicago slapd[63531]: oc_check_allowed type "createTimestamp" 2023-12-13T14:26:31.503830+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCACertificateFile" 2023-12-13T14:26:31.503912+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateKeyFile" 2023-12-13T14:26:31.503982+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateFile" 2023-12-13T14:26:31.504056+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryCSN" 2023-12-13T14:26:31.504121+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifiersName" 2023-12-13T14:26:31.504183+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifyTimestamp" 2023-12-13T14:26:31.504246+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T14:26:31.504301+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T14:26:31.504366+01:00 bea-chicago slapd[63531]: 2023-12-13T14:26:31.504420+01:00 bea-chicago slapd[63531]: send_ldap_result: conn=1007 op=1 p=3 2023-12-13T14:26:31.504491+01:00 bea-chicago slapd[63531]: send_ldap_result: err=80 matched="" text="" 2023-12-13T14:26:31.504557+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=2 tag=103 err=80
Stefan Kania wrote:
Syntax error? Open your file with vi and do a "set: list" and you will see additional blanks and tabstops.
Am 13.12.23 um 14:28 schrieb Jean-Luc Chandezon:
You are missing "changetype: modify"
this is how it should look
dn: cn=config changetype: modify add: olcTLSCertificateFile olcTLSCertificateFile: /opt/symas/etc/openldap/example-net-cert.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/symas/etc/openldap/example-net-key.pem
add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/symas/etc/openldap/cacert.pem
Stefan
Thank you Stefan! Sorry for the mistake due to last changes.
Our ldf file content is:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem
with the request: ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/01-SSL.ldif result: modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
Any idea?
Please find log content bellow
023-12-13T14:26:31.500282+01:00 bea-chicago slapd[63531]: #011#011one value, length 33 2023-12-13T14:26:31.500380+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile 2023-12-13T14:26:31.500452+01:00 bea-chicago slapd[63531]: #011#011one value, length 37
As always - set a higher debug level and examine the debug output. Not the syslog output. syslog is for recording routine operation, not for isolating problems. Use the debug output for troubleshooting.
Thank you Stefan for suggestion Thank you Howard. It was exactly what I understood. When I start the daemon with command line:
slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.190.58:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d -1
I can see: 657ad073.144a7a3e 0x7f71df270200 TLS: opening `/etc/ssl/private/annuaire.lexp.fr.key' failed: Permission denied 657ad073.144b02fb 0x7f71df270200 TLS: could not use private key file `/etc/ssl/private/annuaire.lexp.fr.key`.
It is more detailed than rsyslog. As Quanah suggest, this is due to permission issue.
I can see these rights: -rw------- 1 openldap openldap 1704 Nov 29 17:37 /etc/ssl/private/annuaire.atol.fr.key
I'm trying to check access...
Jean-Luc
-----Message d'origine----- De : Howard Chu hyc@symas.com Envoyé : jeudi 14 décembre 2023 10:46 À : Stefan Kania stefan@kania-online.de; openldap- technical@openldap.org Objet : Re: SSL certificate install
Stefan Kania wrote:
Syntax error? Open your file with vi and do a "set: list" and you will see
additional blanks and tabstops.
As always - set a higher debug level and examine the debug output. Not the syslog output. syslog is for recording routine operation, not for isolating problems. Use the debug output for troubleshooting.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Am 14.12.23 um 18:00 schrieb Jean-Luc Chandezon:
Thank you Stefan for suggestion Thank you Howard. It was exactly what I understood. When I start the daemon with command line:
slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.190.58:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d -1
I can see: 657ad073.144a7a3e 0x7f71df270200 TLS: opening `/etc/ssl/private/annuaire.lexp.fr.key' failed: Permission denied 657ad073.144b02fb 0x7f71df270200 TLS: could not use private key file `/etc/ssl/private/annuaire.lexp.fr.key`.
It is more detailed than rsyslog. As Quanah suggest, this is due to permission issue.
I can see these rights: -rw------- 1 openldap openldap 1704 Nov 29 17:37 /etc/ssl/private/annuaire.atol.fr.key
On debian, /etc/ssl/private is only readable by root and members of ssl-cert.
You ćan either add your openldap user to this group or move your certificate to /etc/ldap.
Best regards
Ulf
On debian, /etc/ssl/private is only readable by root and members of ssl-cert.
You ćan either add your openldap user to this group or move your certificate to /etc/ldap.
Best regards
Ulf
Yes, and I believe it was different with Stretch version. We checked permission with su on openldap account(temporarily replace /bin/false with /bin/bash), and solved issue.
Thank you for your help!
--On Wednesday, December 13, 2023 7:51 AM +0000 Jean-Luc Chandezon jlch@lan-explore.fr wrote:
Hello dear community,
I'm trying to enable LDAPS. I don't understanrd what is cause error. Is anybody have an idea please?
This almost always means that the slapd process cannot access one or more of the file(s) in question, due to some type of permission issue.
--Quanah
openldap-technical@openldap.org
-
Howard Chu -
Jean-Luc Chandezon -
Quanah Gibson-Mount -
Stefan Kania -
Ulf Volmer