Okay, so I've been trying to configure TLS with LDAP on my Debian Jessie server, so far without success. I keep running into the dreaded error 80 when I run my ldapmodify command.
Here's the content of my ldif file:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /ssl/ldap/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /ssl/ldap/server-key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /ssl/ldap/server-cert.pem
And of course, when I run this, here's the output:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Now, I've read dozens of posts online and every time, it seems to be a permission issue. However, in my case, when I put just this in my file, it works:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /ssl/ldap/cacert.pem
So, given that all three files are in the same folder and have the same set of permissions, I'm rather doubtful the problem comes from that. Can anybody help me figure things out?
Thanks.
Best Answer
Ok, so in my case, the problem turned out to be that the server-cert.pem and server-key.pem were actually malformed.
Initially, both private key and certificates were in a single pem file so I had to split them back in two to accommodate LDAP. However, instead of actually using the openssl tool to split the file, I opened a text editor and copy-pasted things in two separate files. For anyone reading this in the future: this is a BAD idea. If you ever happen to have one single file containing both the certificate and the private key, use the two commands below to extract both parts. It'll save you a LOT of headache.