[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Can't get certificates installed on new server

Hello Philip,

It is a self-signed certificate ?

If yes, you must remove the line olcTLSCACertificateFile.

For more information please consult my how to. http://www.cyrill-gremaud.ch/linux/howto-install-openldap-2-4-server/

Best regards

Cyrill gremaud

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Philip Colmer
Sent: mercredi 25 février 2015 15:13
To: openldap-technical@openldap.org
Subject: Can't get certificates installed on new server

I'm getting a generic error 80 when I try to use ldapmodify to configure my LDAP server to use a SSL certificate. Here is the LDIF I'm using:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt

and the command:

ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W

Running logging at the highest level doesn't seem to give me much to go on ...

Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=10 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=11 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1
do_modify: dn (cn=config)
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal:
<cn=config>, <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed:
granted to database root
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), objectClass "olcGlobal"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "objectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConfigDir"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcArgsFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAttributeOptions"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcAuthzPolicy"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConcurrency"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPending"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcConnMaxPendingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcGentleHUP"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIdleTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMaxLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrIfMinLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexSubstrAnyStep"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcIndexIntLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcListenerThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLocalSSF"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcLogLevel"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcPidFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReadOnly"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcReverseLookup"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSaslSecProps"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncoming"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcSockbufMaxIncomingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSVerifyClient"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSProtocolMin"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcToolThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcWriteTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "structuralObjectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "creatorsName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "createTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCACertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "olcTLSCertificateKeyFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifiersName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "modifyTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
conn=1001 op=1 p=3
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
err=80 matched="" text=""
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response:
msgid=2 tag=103 err=80
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT
tag=103 err=80 text=
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]:  14r

I've checked that the user that slapd is running under can read the three files.

Any suggestions or clarification on what I've overlooked?

Thanks.

Regards

Philip