When configuring TLS for OpenLDAP using cn=config database modifications, many administrators encounter the cryptic "Other (e.g., implementation specific) error (80)" during certificate deployment. This often occurs when trying to apply configurations via ldapmodify.
First, verify your certificate paths are absolutely correct. The error (80) frequently indicates file access issues. Run:
sudo ls -l /etc/ssl/certs/cacert.pem \
/etc/ssl/certs/test-ldap-server_cert.pem \
/etc/ssl/private/test-ldap-server_key.pemEnsure:
- Files exist at specified paths
- openldap user has read access (typically in ldap group)
- Key file permissions are 400 or 640
Instead of modifying cn=config directly, try adding these to slapd.conf (if using traditional config):
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/test-ldap-server_cert.pem
TLSCertificateKeyFile /etc/ssl/private/test-ldap-server_key.pemThen restart slapd.
The EXTERNAL mechanism requires proper socket permissions. Check:
sudo ls -la /var/run/slapd/Temporarily try with sudo for testing:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif -d 1Test if certificates are properly chained:
openssl verify -CAfile /etc/ssl/certs/cacert.pem \
/etc/ssl/certs/test-ldap-server_cert.pemHere's a verified modification approach:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap-server.keyWhen configuring TLS for OpenLDAP using dynamic configuration (cn=config), many administrators encounter error 80 during certificate deployment. The issue typically manifests when running:
ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
[...]
ldap_modify: Other (e.g., implementation specific) error (80)Error 80 often indicates one of these scenarios:
- Incorrect file permissions on certificate/key files (should be readable by slapd user)
- Missing intermediate certificates in the CA chain
- Invalid DN syntax when using simple authentication
- Configuration conflicts in existing TLS settings
First, verify certificate file permissions:
sudo chmod 644 /etc/ssl/certs/cacert.pem
sudo chmod 640 /etc/ssl/private/test-ldap-server_key.pem
sudo chown root:openldap /etc/ssl/private/test-ldap-server_key.pemFor cn=config modification, try this alternative LDIF approach:
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/test-ldap-server_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/test-ldap-server_key.pemWhen seeing "invalid DN" errors during simple authentication, ensure your admin DN follows proper format:
# Correct format example:
ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f certinfo.ldif
# Common mistakes:
# Missing quotes when DN contains special characters
# Incorrect dc hierarchy
# Trailing commasAfter applying changes, verify TLS works:
ldapsearch -ZZ -H ldap://localhost -x -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -WCheck slapd debug logs for detailed TLS handshake information:
sudo slapd -d 16384 -h "ldap:/// ldapi:/// ldaps:///"If dynamic configuration persists failing, consider static configuration in slapd.conf:
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/test-ldap-server_cert.pem
TLSCertificateKeyFile /etc/ssl/private/test-ldap-server_key.pemRemember to convert to cn=config format after testing:
sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d