[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd makes very strange troubles in VServer
- To: openldap-bugs@openldap.org
- Subject: slapd makes very strange troubles in VServer
- From: Niki Hammler <mailinglists@nobaq.net>
- Date: Wed, 29 Aug 2007 00:16:52 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.0
Hi,
Today I began to move my LDAP-Server to a Linux VServer jail. On the
host and on the VServer I run Debian etch 4.0. Installing slapd was no
problem (aptitude install slapd). I just copied all configuration and
data files from the host which worked perfectly before and copied them
1:1 into the VServer.
slapd starts without any warnings. But connecting with a client is not
possible, neither inside the VServer nor outside.
For security reasons, I just allow access with SSL or TLS-required (the
very same file worked greatly on the host!):
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
disallow bind_anon
require authc
security tls=1
TLSCACertificateFile /etc/ldap/ssl/cacert.crt
TLSCertificateFile /etc/ldap/ssl/ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.key
TLSVerifyClient never
All key files and database files are accessible by slapd (user=openldap,
group=openldap).
Connecting to ldap and ldaps works greatly from inside the VServer and
also from outside:
$ nc 192.168.0.2 ldap
^c
$ nc 192.168.0.2 ldaps
^c
$
There are no packet filters installed, debugging with tcpdump (local
interface) shows the complete TCP traffic and handshake with no errors.
The strange error is always the same: The clients do not want to
connect, sending SSL stuff is always possible but after that, nothing is
received.
Let's begin with plain SSL:
$ openssl s_client -connect 192.168.0.2:636 -debug
CONNECTED(00000003)
write to 0x80bee90 [0x80bf4e8] (118 bytes => 118 (0x76))
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @...............
0050 - 00 00 03 02 00 80 f5 5d-10 d2 64 21 24 0c b1 c3 .......]..d!$...
0060 - 92 37 72 7a 4a 9c 09 88-46 b2 f8 39 ef f6 c4 c8 .7rzJ...F..9....
0070 - 84 74 8e a6 79 e1 .t..y.
read from 0x80bee90 [0x80c4a48] (7 bytes => 0 (0x0))
20500:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
$
I did lots of tests with many LDAP clients (ldapwhoami, ldapsearch
commandline tools, PHP, Softerra LDAP Administrator and Clients in
exim4, Courier etc). In this case I show connecting with SSL using
ldapwhoami:
$ ldapwhoami -x -H ldaps://nobaq.intern.stiftingtal.net -D
"uid=nobaq,ou=users,dc=intern,dc=stiftingtal,dc=net" -w secret -v -d 999
ldap_initialize( ldaps://nobaq.intern.stiftingtal.net )
ldap_create
ldap_url_parse_ext(ldaps://nobaq.intern.stiftingtal.net)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP nobaq.intern.stiftingtal.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.2:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=118, written=118
0000: 80 74 01 03 01 00 4b 00 00 00 20 00 00 39 00 00 .t....K... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 05 00 ..3..2../.......
0030: 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 ................
0040: 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 @...............
0050: 00 00 03 02 00 80 20 25 c9 bb fe 68 e8 52 6c 87 ...... %...h.Rl.
0060: 04 ae 25 d1 8b f5 73 c8 3d ca 73 ab e3 92 3f 9f ..%...s.=.s...?.
0070: c9 9d 79 4e aa fb ..yN..
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
$
As you can see, reading fails. And now using a normal connection but
with TLS:
ldapwhoami -x -H ldap://192.168.0.2 -D
"uid=nobaq,ou=users,dc=intern,dc=stiftingtal,dc=net" -w secret -v -d 999 -ZZ
ldap_initialize( ldap://192.168.0.2 )
ldap_create
ldap_url_parse_ext(ldap://192.168.0.2)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.0.2:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.2:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x8051088 msgid 1
ldap_chkResponseList ld 0x8051088 msgid 1 all 1
ldap_chkResponseList returns ld 0x8051088 NULL
wait4msg ld 0x8051088 msgid 1 (infinite timeout)
wait4msg continue ld 0x8051088 msgid 1 all 1
** ld 0x8051088 Connections:
* host: 192.168.0.2 port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Aug 29 00:04:19 2007
** ld 0x8051088 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8051088 Response Queue:
Empty
ldap_chkResponseList ld 0x8051088 msgid 1 all 1
ldap_chkResponseList returns ld 0x8051088 NULL
ldap_int_select
read1msg: ld 0x8051088 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x8051088 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8051088 0 new referrals
read1msg: mark request completed, ld 0x8051088 msgid 1
request done: ld 0x8051088 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=118, written=118
0000: 80 74 01 03 01 00 4b 00 00 00 20 00 00 39 00 00 .t....K... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 05 00 ..3..2../.......
0030: 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 ................
0040: 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 @...............
0050: 00 00 03 02 00 80 83 33 38 7c c9 0a f9 0b 42 67 .......38|....Bg
0060: 76 97 03 8b e3 47 55 fe 74 ed 86 08 83 fe ed 88 v....GU.t.......
0070: 0e 40 53 97 e5 3e .@S..>
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
$
Connecting without the '-ZZ' seems to work, I get the "confidentiality
required" message:
$ ldapwhoami -x -H ldap://192.168.0.2 -D
"uid=nobaq,ou=users,dc=intern,dc=stiftingtal,dc=net" -w secret -v
ldap_initialize( ldap://192.168.0.2 )
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
$
So I guess the problem is SSL. As said, all SSL files are accessible and
there are no errors in the logs or when starting slapd with '-d'. The
certificates CN is exactly the hostname.
I'm very frustrated because I can't find any errors. I repeat: the very
same configuration worked perfectly on the host system.
Is this a bug?
Thank you very much in advance for any advice,
Niki