I am using the following command and script to get OpenLDAP (running on ubuntu v16) to use SSL certificates (locations of the certificates is correct).
ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/fullchain-xxxxxx.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/cert-xxxxxx.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/privkey-xxxxxx.pem
command:
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f ssl.ldif
output:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Is there any other log file entry that I can check to troubleshoot this further?
I had to ensure that all certificate files were readable by the openldap user and that the openldap user was part of the ssl-cert group. Once the read access was in place, the command worked correctly.