I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip
Hello Philip,
It is a self-signed certificate ?
If yes, you must remove the line olcTLSCACertificateFile.
For more information please consult my how to. http://www.cyrill-gremaud.ch/linux/howto-install-openldap-2-4-server/
Best regards
Cyrill gremaud
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Philip Colmer Sent: mercredi 25 février 2015 15:13 To: openldap-technical@openldap.org Subject: Can't get certificates installed on new server
I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip
Gremaud Cyrill wrote:
Hello Philip,
It is a self-signed certificate ?
If yes, you must remove the line olcTLSCACertificateFile.
That is utter nonsense.
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Philip Colmer Sent: mercredi 25 février 2015 15:13 To: openldap-technical@openldap.org Subject: Can't get certificates installed on new server
I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip
Le 25/02/2015 15:13, Philip Colmer a écrit :
I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
add: olcTLS*CertificateFile* olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.*key*
add: olcTLSCertificate*Key*File olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.*crt*
Seems to me that you have switched cert and key ;-)
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip
THANK YOU!
Goodness, I really couldn't see the wood for the trees there.
Many thanks.
Philip
On 26 February 2015 at 10:56, Yann Cézard yann.cezard@univ-pau.fr wrote:
Le 25/02/2015 15:13, Philip Colmer a écrit :
I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
Seems to me that you have switched cert and key ;-)
and the command:
ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
Running logging at the highest level doesn't seem to give me much to go on ...
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify: dn (cn=config) Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed: granted to database root Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: conn=1001 op=1 p=3 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result: err=80 matched="" text="" Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response: msgid=2 tag=103 err=80 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT tag=103 err=80 text= Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on: Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: 14r
I've checked that the user that slapd is running under can read the three files.
Any suggestions or clarification on what I've overlooked?
Thanks.
Regards
Philip
-- Yann Cézard - administrateur systèmes serveurs Direction du Numérique - Infrastructures - http://dn.univ-pau.fr Université de Pau et des pays de l'Adour - http://www.univ-pau.fr bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau Téléphone : +33 (0)5 59 40 77 94
openldap-technical@openldap.org
-
Gremaud Cyrill -
Howard Chu -
Philip Colmer -
Yann Cézard