ldap_modify: Other (e.g., implementation specific) error (80)
I followed RHEL7: Configure a LDAP directory service for user connection to configure openldap on CentOS Linux release 7.
First I create the /etc/openldap/changes.ldif file and paste the content with replacing the password of course with the previously created password.
Then I get to send the new configuration to the slapd server using the command
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
Once I do that I get the following error:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
All the files are readable for the user slapd is running as. What's wrong there? I couldn't find anything useful to feed SEARCHENGINE with.
It's been a while that I've been looking for a solution but at the moment all what I found is two people
Having the same problem and asking the same question but no answers.
Answer
In my specific case, I was having this error and I literally spent days scouring the Web for an answer. It turned out in my case that the order matters. It was
olcTLSCACertificateFileolcTLSCertificateKeyFileolcTLSCertificateFile
Until the order of the attributes in my file was the one above, I was having that dreaded and unhelpful "ldap_modify: Other (e.g., implementation specific) error (80)" error.
I tried to detect permission errors using sudo -u ldap nano <path to each file>. All was fine for each file.
nano revealed that the files were in DOS format: I converted them to have Linux line endings, to no avail.
In all I read, there was a question as to whether the certificate file was in the proper PEM format. I could not check that, maybe that it's also a cause for this error.
The only thing that worked was commenting out some lines in the file until I saw changes after running ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q -s base.
Note also that I "compressed" the changes in my file to a single change. What I mean with "compressed" is that instead of having three changes, I had only one: instead of this (I'm using Ansible, so this is actually a Jinja2 template)
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: {{ cert_parentdir_ca_chain }}/{{ cert_filename_ca_chain }}
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ cert_parentdir_wildcard_cert }}/{{ cert_filename_wildcard_cert }}
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ ldap_cert_parentdir_key }}/{{ cert_filename_key }}
I had this
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: {{ cert_parentdir_ca_chain }}/{{ cert_filename_ca_chain }}
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ ldap_cert_parentdir_key }}/{{ cert_filename_key }}
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ cert_parentdir_wildcard_cert }}/{{ cert_filename_wildcard_cert }}
HTH.