OpenLDAP TLS Authentification

I am trying to implement TLS as per https://help.ubuntu.com/lts/serverguide/openldap-server.html When I try to modify cn=config database with this ldif file:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/test-ldap-server_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/test-ldap-server_key.pem

I get the following error:

ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

What am I doing wrong?

EDIT: When I try to use simple auth I got the following error:

ldapmodify -x -D cn=admin,dc=example,dc=com -W -f certinfo.ldif
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
        additional info: invalid DN

Solution 1:

I was following the same guide and had the same issue. It will work if you do the steps to "Tighten up ownership and permissions" listed after the offending ldapmodify command first--namely:

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod g+X /etc/ssl/private
sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem

and

sudo systemctl restart slapd.service

Solution 2:

Well I don't know if this is a solution or just a workaround, but I managed to get it working.

I first stopped the slapd with:

service slapd stop

Then I started it in debug mode:

slapd -h ldapi:/// -u openldap -g openldap -d 65 -F /etc/ldap/slapd.d/ -d 65

Important is to start it ONLY with ldapi:/// URL. After it started I executed the ldapmodify command and the attributes were imported.

At the end I stopped the debug mode and started the slapd normally.