ldapmodify가 TLS 인증서 구현에 실패함

ldapmodify가 TLS 인증서 구현에 실패함

아마도 오타를 간과하고 있는 것 같지만 찾을 수 없습니다.

~$ /usr/bin/ldapmodify -H ldapi:// -Y EXTERNAL -f /tmp/certs.ldif
SASL/EXTERNAL authentication started
SASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

~$ cat /tmp/certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt

grep -R olcTLS /etc/openldap/slapd.d
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePa th: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server"
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password

ls -la /etc/openldap/certs/ldap.crt
-rw-r--r--. 1 root root 2282 Aug 20 17:42 /etc/openldap/certs/ldap.crt

답변1

폴더 소유권을 변경한 후 ldapmodify가 성공할 수 있었습니다. 내가 확인한 것처럼 왜 그런지 잘 모르겠습니다.다른폴더를 읽고 실행할 수 있었고 인증서와 키를 읽을 수 있었습니다.다른또한.

~$ sudo chown ldap:ldap ./certs/ ./private/ ./cacerts/

~$ sudo chown -R ldap:ldap ./private/ ./cacerts/

~$ ls -la
total 24
drwxr-xr-x.  7 root root  122 Aug 20 17:42 .
drwxr-xr-x. 78 root root 8192 Aug 20 18:07 ..
drwxr-xr-x.  2 ldap ldap   20 Aug 20 17:42 cacerts
drwxr-xr-x.  2 ldap ldap  106 Aug 20 17:42 certs
-rw-r--r--.  1 root root  121 Jan 29  2019 check_password.conf
-rw-r--r--.  1 root root  363 Jan 29  2019 ldap.conf
drwxr-xr-x.  2 ldap ldap   22 Aug 20 17:42 private
drwxr-xr-x.  2 root root 4096 Aug 20 17:42 schema
drwxr-x---.  3 ldap ldap   45 Aug 20 17:42 slapd.d

~$ /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:// -f /tmp/certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

~$ grep -R olcTLS /etc/openldap/slapd.d
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/private/ldap.key
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
/etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt

관련 정보