• 12
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

System: Ubuntu 16.04 running OpenLDAP 2.4.42

I'm following the tutorial to configure OpenLDAP for TLS. The LDIF file that I ended up creating is as follows:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/mysite_slapd_key.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/mysite_slapd_cert.pem

The issue is that when I run sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f myFile.ldif, I get the following error:

$ sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f myFile.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

I have google'd around for this and stumbled upon this Server Fault post. I have tried everything in the answers there but I still get the error.

To elaborate, /etc/ssl/certs/mysite_slapd_cert.pem is owned by the ssl-cert group, which openldap is a member of, just like the instructions on the Ubuntu page specified. In essence, I have run these commands:

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/mysite_slapd_key.pem
sudo chmod g+r /etc/ssl/private/mysite_slapd_key.pem
sudo chmod o-r /etc/ssl/private/mysite_slapd_key.pem

Below is the output of slapd when running in -d 65 mode (as suggested in one of the answers to the other serverfault post):

57c8c219 slap_listener_activate(8):
57c8c219 >>> slap_listener(ldapi:///)
57c8c219 connection_get(15): got connid=1000
57c8c219 connection_read(15): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 24 contents:
57c8c219 op tag 0x60, time 1472774681
ber_get_next
57c8c219 conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
57c8c219 >>> dnPrettyNormal: <>
57c8c219 <<< dnPrettyNormal: <>, <>
57c8c219 do_bind: dn () SASL mech EXTERNAL
57c8c219 ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
57c8c219 <==slap_sasl2dn: Converted SASL name to <nothing>
57c8c219 SASL Authorize [conn=1000]:  proxy authorization allowed authzDN=""
57c8c219 send_ldap_sasl: err=0 len=-1
57c8c219 do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
57c8c219 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 15
57c8c219 <== slap_sasl_bind: rc=0
57c8c219 connection_get(15): got connid=1000
57c8c219 connection_read(15): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 245 contents:
57c8c219 op tag 0x66, time 1472774681
ber_get_next
57c8c219 conn=1000 op=1 do_modify
ber_scanf fmt ({m) ber:
ber_scanf fmt ({e{m[W]}}) ber:
ber_scanf fmt ({e{m[W]}}) ber:
ber_scanf fmt ({e{m[W]}}) ber:
57c8c219 >>> dnPrettyNormal: <cn=config>
57c8c219 <<< dnPrettyNormal: <cn=config>, <cn=config>
57c8c219 oc_check_required entry (cn=config), objectClass "olcGlobal"
57c8c219 oc_check_allowed type "objectClass"
57c8c219 oc_check_allowed type "cn"
57c8c219 oc_check_allowed type "olcArgsFile"
57c8c219 oc_check_allowed type "olcLogLevel"
57c8c219 oc_check_allowed type "olcPidFile"
57c8c219 oc_check_allowed type "olcToolThreads"
57c8c219 oc_check_allowed type "structuralObjectClass"
57c8c219 oc_check_allowed type "entryUUID"
57c8c219 oc_check_allowed type "creatorsName"
57c8c219 oc_check_allowed type "createTimestamp"
57c8c219 oc_check_allowed type "olcTLSCACertificateFile"
57c8c219 oc_check_allowed type "olcTLSCertificateKeyFile"
57c8c219 oc_check_allowed type "olcTLSCertificateFile"
57c8c219 oc_check_allowed type "entryCSN"
57c8c219 oc_check_allowed type "modifiersName"
57c8c219 oc_check_allowed type "modifyTimestamp"
57c8c219 send_ldap_result: conn=1000 op=1 p=3
57c8c219 send_ldap_response: msgid=2 tag=103 err=80
ber_flush2: 14 bytes to sd 15
57c8c219 connection_get(15): got connid=1000
57c8c219 connection_read(15): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
57c8c219 op tag 0x42, time 1472774681
ber_get_next
57c8c219 conn=1000 op=2 do_unbind
57c8c219 connection_close: conn=1000 sd=15
      • 2
    • Have you restarted slapd after adding its user to the ssl-cert group? A process "gets" its UID, GID and GIDs of supplementary groups at its startup; whatever tweaks you did to these things after the startup are not "seen" by the running process.
      • 2
    • Basically, you can do cat /proc//status to see what UID and GIDs it actually possess, and which will be used when evaluating its access permissions when it's about to access something on a filesystem.
      • 2
    • Debian wiki and a great deal of other howtos suggest using add actions in your LDIF file. I am not an expert, but may be replace simply finds nothing to replace and hence fails? Errors from slapd OLC are always helpless, I must admit. And no, debugging mode added zero information to the picture (besides the fact the server seemingly understood the names of the config entries).
    • what about issuing only the first part of the add? Please trim the myFile.ldif to 4 lines (upto, includive: olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem) and try again the insert.

Trending Tags