I am trying to configure TLS on my LDAP server. I have two computer, one with the LDAP server and another with an NFS share containing the Let's Encrypt generated certificates.
I want the first one to be able to read the certificates in the NFS mount. I followed a tutorial one the Debian wiki : here
When I do sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/olcTLS.ldif I get :
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Apparently this is a permission issue as seen here
Here is the content of the config file :
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /mnt/certs/chain.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /mnt/certs/privkey.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /mnt/certs/cert.pem
So I set the group of the NFS shared directory to ssl-cert and added read permission for it. (All sub-directories have full read permission for everyone).
Then on the LDAP server I have added the openldap user to the ssl-cert group. (The gid of ssl-cert is the same on both system).
I ran sudo -u openldap -g ssl-cert ls -l /mnt/certs and it worked. The openldap user is able to read files in the NFS mount.
So maybe it's not a permission issue after all... what do you think?
It would not have worked yesterday because there was errors in the paths and also Let's encrypt use symlinks, so there was no way the other system could access the files... I corrected it but it would not work either, so I tried reducing the margin of error just by copying the certificates on the LDAP server directly, in /tmp, and it still not working. I get the same error.
