Hi everyone,

I've tried a common proceeded: insert CA and server certificates on cn=config. I've created CA and server certificate in PEM format and I've signed server certificate with CA certificate. Then I've created a 5tls.ldif with following content:

dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap.local.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.local.key - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem

But server has returned following error when I've ran ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif:

[root@localhost ldifs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80)

ldap.local.crt, ldap.local.key and ca.cert.pem are /etc/openldap/certs and they own read permission to ldap group.

I don't understand this behavior and I have no idea what is wrong.

OBS: I've mounted environment on CentOS 7, added symas' repository and install from yum.

Here some relevant info below.

OpenLDAP version - 2.4.47 [root@localhost ldifs]# slapd -V @(#) $OpenLDAP: slapd 2.4.47 (Mar 11 2019 17:22:04) $ build@c7rpm :/home/build/git/rheldap/RHEL7_x86_64/BUILD/symas-openldap-2.4.47/openldap-2.4.47/servers/slapd

STATUS after run ldapmodify [root@localhost ldifs]# systemctl status slapd -l ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-06-28 01:51:50 -03; 1h 36min ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 4654 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 4641 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 4656 (slapd) CGroup: /system.slice/slapd.service └─4656 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi) Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=0 BIND dn="" method=163 Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71 Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=0 RESULT tag=97 err=0 text= Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=1 MOD dn="cn=config" Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=1 MOD attr=olcTLSCACertificateFile Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=1 RESULT tag=103 err=80 text= Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 op=2 UNBIND Jun 28 03:10:16 localhost.localdomain slapd[4656]: conn=1008 fd=11 closed

Best regards, -- Igor Sousa