Unable to use openldap olcTLS attributes

Question

I've been working on trying to migrate an openldap instance from CentOS7 to CentOS8. RHEL deprecated the openldap packages in RHEL8, so I've been trying to migrate to the Symas packages.

• https://symas.com/openldap-for-linux-now-available-for-rhel-8/
• https://repo.symas.com/sofl/rhel8/

With the Symas packages installed, I've actually been able to get everything migrated over and working with the exception of TLS for STARTTLS. It seems that it doesn't recognize any of the olcTLS* attributes. I'm assuming that's schema related somehow but if someone could point me in the right direction I'd appreciate it.

tls.ldif:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt

Results:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
modifying entry "cn=config" 
ldap_modify: Other (e.g., implementation specific) error (80)
#

SELinux is currently disabled, the LDAP user/group recursive own everything under '/etc/openldap'. Googling has yielded many many results, but none of them covering procedures for TLS/STARTTLS on CentOS8 that I have found.

Answer 1

Other then the ordering and file permissions, if you still encounter implementation error you may haven't started slapd with ldaps:/// enabled. On Debian Bookworm in /etc/default/slapd:

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps://127.0.0.1:636/ ldapi:///"

On Arch it's in /etc/conf.d/slapd:

SLAPD_URLS="ldap://127.0.0.1:389/ ldaps://127.0.0.1:636/"

I did not want to enable TLS on my rootserver and not on all interfaces before having certs applied. So i omitted ldaps, but it seems needed.

Answer 2

I tried everything I could find in every possible thread on this, all to no avail. What finally worked was to first delete the existing olcTLSCertificateKeyFile entry:

dn: cn=config
changetype: modify
delete: olcTLSCertificateKeyFile

Then add it via a separate ldif file:

dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: xxx

(Yes, the key absolutely 100% belongs with the existing olcTLSCertificateFile cert, triply-checked via openssl modulus, etc.)

Answer 3

I had this issue on Ubuntu 20.04 and I've been searching for answer for hours... The solution was to turn off slapd before adding or modifying olcTLS options. It is so stupid, because CentOS doesn't really care.

systemctl stop slapd

Then add the record:

ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif

Though I've read that the order you add olcTLS records matter or that olcTLSCA settings should not be added if you use self-signed certs - all this seems to be false. This is my olcTLS file:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/server.key
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt
-
add: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/sasl2

Also don't forget to set the owner:group to openldap

chown -R openldap:openldap /etc/openldap/sasl2

And permissions:

chmod 0600 /etc/openldap/sasl2/*

Answer 4

After a ton of digging, I determined the issue to be a problem with my private key, and so it refused to set the TLS options altogether. But I'll be inclusive of everything I had to verify here for this error.

So for starters, you need to make sure the public/private keys are producing the same hash (This was where my issue was) -

openssl x509 -noout -modulus -in /path/to/public.crt | openssl md5
openssl rsa -noout -modulus -in /path/to/private.key | openssl md5

Then, from the Debian guide -

If the modifications fail with ldap_modify: Other (e.g., implementation specific) error (80), check the file paths for typos, and ensure the files are readable by the openldap user.

Use sudo to run commands as the ldap user to validate this. For example:

sudo -u ldap cat /path/to/public.crt

Or

sudo -u ldap file /path/to/public.crt

You may have to additionally look into SELinux if the above doesn't work.