LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-06-2016, 06:56 PM   #1
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Rep: Reputation: Disabled
openLDAP TLS config edit failing


Hello Everyone!

I have been working on setting up a single sign on for a few computers with openLDAP. I am completely new to openLDAP and the directory structure and have been learning as I go along. I have my test windows computer authenticating against LDAP in the clear just fine, however I want to secure the connection with a TLS, so I created the following file named addcerts.ldif:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLStCECertificateFile: /root/ldapTLS/certs/AlexCA.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /root/ldapTLS/certs/openLDAP.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /root/ldapTLS/private/openLDAP.key
I then proceed to apply it with the following command: ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif which results in the following error:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapmodify: wrong attributeType at line 4, entry "cn=config"
In case what I am doing is completely wrong which there is a good chance of, what I am trying to accomplish is to add to cn=config the AlexCA.pem certificate authority certificate, and the openLDAP.pem and openLDAP.key certificate and key, which are both signed by the AlexCA.key to secure the openLDAP connection over TLS. I would also be happy to simply use a self signed certificate for the LDAP server and trust it on all the clients.

Thanks so much!,
Alex
 
Old 01-07-2016, 02:00 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
ldapmodify: wrong attributeType at line 4, entry "cn=config"
In line 4 you're trying to add an attribute that is not the same as in line 3 where you declare that you're going to add it:
olcTLStCECertificateFile instead of olcTLSCACertificateFile


Regards
 
Old 01-07-2016, 08:57 AM   #3
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
openLDAP TLS config

Thank you so much for your advice. I found and fixed the error and my configuration now looks like this.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /root/ldapTLS/certs/AlexCA.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /root/ldapTLS/certs/openLDAP.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /root/ldapTLS/private/openLDAP.key
So I ran the same command, and the first error was fixed, but now it is giving the following error when I run the following command: ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
What is a matching rule in this context? How do I provide one?

Thanks!
 
Old 01-07-2016, 11:44 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
You maybe need to use "replace" instead of "add":
Code:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /root/ldapTLS/certs/AlexCA.pem 
-
<snip>
 
Old 01-07-2016, 09:07 PM   #5
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
TLS config error

I tried your suggestion before and agin with the new changes which fixed the first error, but now it gives me an "implementation specific error (80)"

Thanks
 
Old 01-08-2016, 02:23 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
Originally Posted by themooer1 View Post
I tried your suggestion before and agin with the new changes which fixed the first error, but now it gives me an "implementation specific error (80)"

Thanks
Make sure that the directory used to store the certs/keys is writable by the openldap user
 
Old 01-08-2016, 07:51 PM   #7
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
Permissions Update

I have the certificates for LDAP in a directory in the root home so they wouldn't be easily accessible. Upon your suggestion I double checked the permissions, but even after ensuring that the certificates are owned by openLDAP:root and that the permissions are set to 700 I still get this when trying to write the changes to the database.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
 
Old 01-09-2016, 08:46 AM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
I have the certificates for LDAP in a directory in the root home so they wouldn't be easily accessible. Upon your suggestion I double checked the permissions, but even after ensuring that the certificates are owned by openLDAP:root and that the permissions are set to 700 I still get this when trying to write the changes to the database.
I mean the directory used by ldap to store data, usually /var/lib/ldap, but check your distro's documentation. Maybe the same goes for the directory that keeps certs/keys (under /etc/openldap/certs)
Re. the user it could be ldap or openldap depending on distro
 
Old 01-09-2016, 08:56 AM   #9
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
LDAP permissions update 2

Thanks so much for all the help. These are the permissions, and they all seem correct to me. Also I can make edits through phpLDAPadmin successfully and pGINA can authenticate against the main database just fine.
drwxr-xr-x 2 openldap openldap 4.0K Jan 8 16:54 ldap
drwxr-xr-x 2 root root 4.0K Apr 12 2015 slapd
Attached Thumbnails
Click image for larger version

Name:	Screenshot 2016-01-09 09.48.35.png
Views:	350
Size:	70.0 KB
ID:	20477  
 
Old 01-10-2016, 08:38 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
Originally Posted by themooer1 View Post
Thanks so much for all the help. These are the permissions, and they all seem correct to me. Also I can make edits through phpLDAPadmin successfully and pGINA can authenticate against the main database just fine.
drwxr-xr-x 2 openldap openldap 4.0K Jan 8 16:54 ldap
drwxr-xr-x 2 root root 4.0K Apr 12 2015 slapd
Sorry but I cannot think of anything else. Perhaps you could delete the TLS stuff and start over

Regards
 
Old 01-10-2016, 10:58 AM   #11
SteveThePirate87
Member
 
Registered: Jul 2012
Location: Glasgow, UK
Distribution: Ubuntu Mate 15.04
Posts: 66

Rep: Reputation: Disabled
Hi,

It looks like it could be syntax related within your ldif file. I found the following link which may not be completely the issue that you have but hopefully will help you debug it.

http://serverfault.com/questions/490...lcaccess-handl

Hope this helps,
Steve.
 
1 members found this post helpful.
Old 01-28-2016, 05:44 PM   #12
themooer1
LQ Newbie
 
Registered: Jan 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thank You!!!

Thank you so much! I had just stumbled upon that article right as you posted it and the lack of spaces separating the lines was the problem.
 
1 members found this post helpful.
Old 11-22-2016, 03:39 AM   #13
saife
LQ Newbie
 
Registered: Nov 2016
Posts: 1

Rep: Reputation: Disabled
TLS : ldap_modify: Other (e.g., implementation specific) error (80)

I have deployed the OpenLDAP on ubuntu16.04,got the error "ldap_modify: Other (e.g., implementation specific) error (80)", through the syslog, I could see:
Nov 21 15:33:34 hna kernel: [18125.835361] audit: type=1400 audit(1479713614.226:30): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/ssl/cacert.pem" pid=16111 comm="slapd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
So, check your path of your cert.pem. You can move the cert file to secure path like /etc/ssl/certs/ or you can modify the "/etc/apparmor.d/usr.sbin.slapd" file, add your cert file path, also don't forget "/etc/init.d/apparmor reload".
 
1 members found this post helpful.
Old 09-12-2017, 02:17 AM   #14
skubriev
LQ Newbie
 
Registered: Sep 2017
Posts: 1

Rep: Reputation: Disabled
You a right.

Dear @safie. You are absolutely right.

Thank you for a tip in my case.

Let's describe a problem here for next generations (so google directed to here topic):

I has ubuntu 16.04 in lxd container. I has success setup with file/folder permissions for daemon run as `openldap` user in my distro.


```
sudo -u openldap cat /etc/letsencrypt/live/ldap.example.com/chain.pem

```

That's command cat all files success. To achieve this I had to setup permissions like so:

```
# set proper permissions:
chgrp -R openldap /etc/letsencrypt/live/ /etc/letsencrypt/archive
chmod -R g=rx /etc/letsencrypt/live/ /etc/letsencrypt/archive
```

But i was getting an error:

```
root@ldap:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

```

I was using following tls file:

```
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.example.com/chain.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/ldap.example.com/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.example.com/privkey.pem

```

As later I found out this file syntactically correct. The main reason is a an apparmor.

I have wrote additional config `/etc/apparmor.d/local/usr.sbin.slapd` with following context:

```
# Site-specific additions and overrides for usr.sbin.slapd.
# For more details, please see /etc/apparmor.d/local/README.
/etc/letsencrypt/** r,
```

And uncomment including this local modifications in main service config `/etc/apparmor.d/usr.sbin.slapd`

Then I restart the container, because I cannot determinate the state of apparmor service done with:

```
root@ldap:~# service apparmor status
● apparmor.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
```
 
Old 01-28-2020, 09:18 AM   #15
Solution365
LQ Newbie
 
Registered: Jan 2020
Posts: 1

Rep: Reputation: Disabled
Thumbs up ldapmodify: wrong attributeType at line 5, entry "cn=config"

i have also faced this issue while adding SSL certificate in openldap.
i was copying ldif file from google and trying to add the TLS certificate. after reading many post i found that i was not adding line space.

check if you have space between line like below (sample file that i used)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt

replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/ldap_server.crt

replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/ldap_server.key


Hope this will help for newbees like me!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Openldap config modify tls error airforceboricua Linux - Software 2 07-25-2014 07:56 AM
[SOLVED] Centos 6.4 with OpenLDAP+TLS: OpenLDAP ok, add TLS =>not ok chrism01 Linux - Server 2 10-27-2013 03:15 PM
openldap over tls achoos13 Linux - Server 5 05-08-2012 07:38 AM
Using TLS with Openldap - How to nqk28703 Linux - Software 2 04-25-2011 02:59 AM
OpenLDAP and TLS-SSL karlochacon Linux - Server 5 02-03-2011 01:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration