CentOS OpenLDAP STARTTLS wierdness

Question

I am having a very strange problem configuring my CentOS OpenLDAP for STARTTLS. Here's what's going on.

I have a bunch os scripts that I use to configure my system. I do this to document a machine's setup and to ensure that I set it up the same way when the hardware is updated. Everything is working fine up until I go to configure OpenLDAP to use STARTTLS.

I have a template LDIF file, which I then use sed to modify with the machine's hostname. When I attempt to modify the OpenLDAP configuration, it fails for

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

If I try again at the command line (outside the script) it still fails.

I can get it to work in one way - If I swap the config "paragraphs" after editing with VIM and save, then ldapmodify will succeed. It does not matter what order they are in to start with. They have to be swapped.

Other things I have tried, that still fail ...

1. Open the ldif file in VIM, and force a save, and exit.
2. Save the successful LDIF file and try to install on a fresh machine.

Can anyone think of why I have to open the LDIF file in VIM, change the order of operations, and then rerun ldapmodify? This makes no sense to me.

Here is my template file

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/SERVERNAME.key

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/SERVERNAME.crt

Here's the relevant part of the script...

SERVERNAME=`hostname`
sed -e 's@SERVERNAME@'$SERVERNAME'@g' -i ldap-certs.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/ldap-certs.ldif

Here's the LDIF file after sed gets done with it.

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/centostest.key

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/centostest.crt

Finally, here's the -d 167 version of the ldapmodify output.

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=centostest
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 26 bytes to sd 4
ldap_write: want=26, written=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..
ldap_msgfree
ldap_result ld 0x558654ff7480 msgid 1
wait4msg ld 0x558654ff7480 msgid 1 (infinite timeout)
wait4msg continue ld 0x558654ff7480 msgid 1 all 1
** ld 0x558654ff7480 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Tue May  7 17:24:13 2019


** ld 0x558654ff7480 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x558654ff7480 request count 1 (abandoned 0)
** ld 0x558654ff7480 Response Queue:
   Empty
  ld 0x558654ff7480 response count 0
ldap_chkResponseList ld 0x558654ff7480 msgid 1 all 1
ldap_chkResponseList returns ld 0x558654ff7480 NULL
ldap_int_select
read1msg: ld 0x558654ff7480 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x558654ff7480 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558654ff7480 0 new referrals
read1msg:  mark request completed, ld 0x558654ff7480 msgid 1
request done: ld 0x558654ff7480 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 91 bytes to sd 4
ldap_write: want=91, written=91
  0000:  30 59 02 01 02 66 54 04  09 63 6e 3d 63 6f 6e 66   0Y...fT..cn=conf
  0010:  69 67 30 47 30 45 0a 01  02 30 40 04 18 6f 6c 63   ig0G0E...0@..olc
  0020:  54 4c 53 43 65 72 74 69  66 69 63 61 74 65 4b 65   TLSCertificateKe
  0030:  79 46 69 6c 65 31 24 04  22 2f 65 74 63 2f 6f 70   yFile1$."/etc/op
  0040:  65 6e 6c 64 61 70 2f 63  65 72 74 73 2f 63 65 6e   enldap/certs/cen
  0050:  74 6f 73 74 65 73 74 2e  6b 65 79                  tostest.key
ldap_result ld 0x558654ff7480 msgid 2
wait4msg ld 0x558654ff7480 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x558654ff7480 msgid 2 all 1
** ld 0x558654ff7480 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Tue May  7 17:24:13 2019


** ld 0x558654ff7480 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x558654ff7480 request count 1 (abandoned 0)
** ld 0x558654ff7480 Response Queue:
   Empty
  ld 0x558654ff7480 response count 0
ldap_chkResponseList ld 0x558654ff7480 msgid 2 all 1
ldap_chkResponseList returns ld 0x558654ff7480 NULL
ldap_int_select
read1msg: ld 0x558654ff7480 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 67 07 0a                            0....g..
ldap_read: want=6, got=6
  0000:  01 50 04 00 04 00                                  .P....
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x558654ff7480 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x558654ff7480 0 new referrals
read1msg:  mark request completed, ld 0x558654ff7480 msgid 2
request done: ld 0x558654ff7480 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                               0....B.
ldap_free_connection: actually freed

Answer 1

Try specifying both changes in a single LDIF operation, i.e.:

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/centostest.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/centostest.crt

I suspect it fails because you're changing each file as a separate LDIF operation and after either change, the certificate and private key don't match up which gives you the error. This way you're changing both files in one go and so they (should) match.