How can I use docker without sudo?

Question

Ph4edrus

Asked: 2017-07-16 02:32:16 +0800 CST2017-07-16 02:32:16 +0800 CST 2017-07-16 02:32:16 +0800 CST

OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)

772

Configuring StartTLS for OpenLDAP.

Ubuntu server 16.04
Slapd 2.4.42+dfsg-2ubuntu3.2

I have my own internal Certificate authority that is providing certificates.

I have set up certificates and key: in /etc/ssl/certs:

-rw-r----- 1 root ssl-cert   3268 Jul 14 23:02 ldaptest.roenix.net.cert.pem

lrwxrwxrwx 1 root root         51 Jul  2 13:22 roenix.ca.cert.pem -> /usr/local/share/ca-certificates/roenix.ca.cert.crt

in /etc/ssl/private:

-rw-r----- 1 root ssl-cert 3243 Jul 14 23:01 ldaptest.roenix.net.key.pem

I have correctly set hostname:

@ldaptest:/etc/ssl/certs$ hostname -f
ldaptest.roenix.net

I try to add the configuration to slapd with this LDIF:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/roenix.ca.cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldaptest.roenix.net.cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldaptest.roenix.net.key.pem

With the command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

I get this error:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

Any help greatly appreciated!

6 Answers

Voted

Oussama Mechlaoui · Answer 1 · 2018-12-20T18:45:07+08:00

Oussama Mechlaoui

2018-12-20T18:45:07+08:002018-12-20T18:45:07+08:00

I solved this problem by changing the order in the file.ldif like this:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/your_key

dn: cn=config 
changetype: modify
replace: olcTLSCertificateFile 
olcTLSCertificateFile: /etc/openldap/certs/your_certificate

and the I ran the command

ldapmodify -Y EXTERNAL -H ldapi:/// -f your_file.ldif

make sure that there an acl that makes the root eligible to make change with authenticating with SASL bind.

To make sure that changes have been done, run this command

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep olcTLS

5

user798428 · Answer 2 · 2018-02-23T08:07:56+08:00

user798428

2018-02-23T08:07:56+08:002018-02-23T08:07:56+08:00

I had the same problem. Certificates were stored in the /opt/local/cert.

You must add this directory to the list of the resolved files in /etc/apparmor.d/local/usr.sbin.slapd:

/opt/local/cert/ r,
/opt/local/cert/* r,

2

elbarna · Answer 3 · 2019-11-25T16:00:00+08:00

This error can be also a permission error. For example if did this command

vim newcerts.ldif

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/myca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap1.mydom.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap1.mydom.key
-
replace: olcTLSRandFile
olcTLSRandFile: /dev/urandom

then

ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

but after give with setfacl the permission of read keyfile to openldap user(the certs are usually 644 readable by all)

setfacl -m u:openldap:r-x /etc/ssl/private
setfacl -m u:openldap:r-x /etc/ssl/private/ldap1.mydom.key

all works

ldapmodify -Y EXTERNAL -H ldapi:/// -f newcerts.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Kartik Agarwal · Answer 4 · 2020-03-18T06:46:05+08:00

Kartik Agarwal

2020-03-18T06:46:05+08:002020-03-18T06:46:05+08:00

I solved the problem just use in the correct order first key then cert. And it worked for me.

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/myldap.kart.com.key 

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/myldap.kart.com.cert

1

Marlar · Answer 5 · 2021-08-22T01:11:40+08:00

Marlar

2021-08-22T01:11:40+08:002021-08-22T01:11:40+08:00

Problem could also be that SELinux is preventing slapd from read access to the .key and .cert file. Please add policy for the files, dont turn SELinux off.

Having problem with SELinux. Use tool setroubleshoot.

0

Ph4edrus · Answer 6 · 2021-08-23T11:23:28+08:00

Best Answer

Ph4edrus

2021-08-23T11:23:28+08:002021-08-23T11:23:28+08:00

Thomas' comment put me on the right track.

Cause of the problem: I failed to realize that /etc/ssl/certs/roenix.ca.cert.crt is actually a symlink to /usr/local/share/ca-certificates/roenix.ca.cert.crt.

Solution: Set correct permissions on the actual cert file in /usr/local/share/ca-certificates.

Also read the other comments and learned a lot! Thanks all.

0

OpenLDAP error configuring StartTLS: ldap_modify: Other (e.g., implementation specific) error (80)

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?