Solving OpenLDAP TLS Authentication Error: “no equality matching rule” for olcTLSCertificateFile


2 views

When setting up OpenLDAP with TLS on Ubuntu 12.04, many administrators encounter the puzzling error:

ldap_modify: Inappropriate matching (18)
        additional info: modify/add: olcTLSCertificateFile: no equality matching rule

This error occurs because the OpenLDAP dynamic configuration backend (cn=config) has strict schema requirements. The olcTLSCertificateFile attribute needs a proper matching rule defined in the schema, which isn't present by default in some OpenLDAP versions.

Here's the proper way to configure TLS certificates in OpenLDAP 2.4:

# Create a new LDIF file (tls-config.ldif)
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Then apply it using:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls-config.ldif

If the modify operation still fails, try creating a new configuration entry:

dn: cn=config
objectClass: olcGlobal
cn: config
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Apply with:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f tls-add.ldif

After successful configuration, verify with:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | grep TLS

Test TLS connectivity:

ldapsearch -x -H ldaps://localhost -b dc=example,dc=com -ZZ

Ensure proper permissions for the certificate files:

sudo chown openldap:openldap /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod 600 /etc/ssl/private/ldap01_slapd_key.pem

When setting up TLS encryption for OpenLDAP on Ubuntu 12.04, many administrators encounter this specific error during certificate configuration:

ldap_modify: Inappropriate matching (18)
        additional info: modify/add: olcTLSCertificateFile: no equality matching rule

This error occurs because OpenLDAP's configuration system (cn=config) requires special handling for certain attributes. The olcTLSCertificateFile attribute is defined without an EQUALITY matching rule in the schema, which means you can't directly modify it using standard LDAP operations.

Instead of trying to add the TLS configuration attributes directly, we need to modify the existing values. Here's the corrected certinfo.ldif:

dn: cn=config
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

If you're starting from scratch, it's often easier to use ldapadd with a fresh configuration:

dn: cn=config
objectClass: olcGlobal
cn: config
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

After applying the changes, verify your TLS setup with:

ldapsearch -ZZ -H ldap://localhost -x -b "" -s base

The -ZZ flag forces StartTLS. If successful, you should see your root DSE information.

  • Ensure certificate files have proper permissions (slapd user must be able to read them)
  • Verify certificate paths in the config match the actual file locations
  • Check that certificates are in PEM format (not DER)
  • Confirm the CN in your certificate matches the server's FQDN

For those who need to modify the schema (not recommended for most cases), you would need to:

dn: cn={1}core,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.1466.115.121.1.15 NAME 'olcTLSCertificateFile' 
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' EQUALITY caseIgnoreMatch )