[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd makes very strange troubles in VServer

Howard Chu schrieb:
> Niki Hammler wrote:
>> Hi,
>>
>> Today I began to move my LDAP-Server to a Linux VServer jail. On the
>> host and on the VServer I run Debian etch 4.0. Installing slapd was no
>> problem (aptitude install slapd). I just copied all configuration and
>> data files from the host which worked perfectly before and copied them
>> 1:1 into the VServer.
>>
>> slapd starts without any warnings. But connecting with a client is not
>> possible, neither inside the VServer nor outside.
> 
> Please show the slapd debug logs when running with "-d -1" for these
> connection attempts.

Hi,

Thank you for your quick answer!

This is the output (after startup-output) when connecting via SSL:



daemon: activity on 1 descriptor
>>> slap_listener(ldaps:///)daemon: listen=6, new connection on 11
ldap_pvt_gethostbyname_a: host=wlan.intern.stiftingtal.net, r=0
daemon: added 11r (active) listener=(nil)
conn=0 fd=11 ACCEPT from IP=192.168.0.2:43760 (IP=0.0.0.0:636)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  80 74 01 03 01 00 4b 00  00 00 20                  .t....K...
tls_read: want=107, got=107
  0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13 00   ..9..8..5.......
  0010:  00 0a 07 00 c0 00 00 33  00 00 32 00 00 2f 03 00   .......3..2../..
  0020:  80 00 00 05 00 00 04 01  00 80 00 00 15 00 00 12   ................
  0030:  00 00 09 06 00 40 00 00  14 00 00 11 00 00 08 00   .....@..........
  0040:  00 06 04 00 80 00 00 03  02 00 80 fb fb f7 a3 58   ...............X
  0050:  ee 80 3e 8d 15 ea 2b 74  23 8d 4a c6 bd 0d 27 5c   ..>...+t#.J...'\
  0060:  bc ca cb b0 d2 45 42 3d  41 21 da                  .....EB=A!.
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id
callback failed ssl_sess.c:232
connection_read(11): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed (TLS negotiation failure)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL



And this is the output for ldap://192.168.0.2 with '-ZZ' (i.e. using TLS
secured channel):



daemon: activity on 1 descriptor
>>> slap_listener(ldap:///)daemon: listen=7, new connection on 11
daemon: added 11r (active) listener=(nil)
conn=1 fd=11 ACCEPT from IP=192.168.0.2:42464 (IP=0.0.0.0:389)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=1
connection_read(11): checking for input on id=1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 1d 02 01 01 77 18 80                            0....w..
ldap_read: want=23, got=23
  0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34 36   .1.3.6.1.4.1.146
  0010:  36 2e 32 30 30 33 37                               6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x081a0c20 ptr=0x081a0c20 end=0x081a0c3d len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x081a0c20 ptr=0x081a0c23 end=0x081a0c3d len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
conn=1 op=0 STARTTLS
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 11
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
connection_get(11): got connid=1
connection_read(11): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  80 74 01 03 01 00 4b 00  00 00 20                  .t....K...
tls_read: want=107, got=107
  0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13 00   ..9..8..5.......
  0010:  00 0a 07 00 c0 00 00 33  00 00 32 00 00 2f 03 00   .......3..2../..
  0020:  80 00 00 05 00 00 04 01  00 80 00 00 15 00 00 12   ................
  0030:  00 00 09 06 00 40 00 00  14 00 00 11 00 00 08 00   .....@..........
  0040:  00 06 04 00 80 00 00 03  02 00 80 03 af 43 95 78   .............C.x
  0050:  f9 c3 d9 5f 92 17 53 1b  7a a7 aa 7a e1 ee ec 03   ..._..S.z..z....
  0060:  6e ce 2b 18 a9 66 5b 45  38 6e ac                  n.+..f[E8n.
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id
callback failed ssl_sess.c:232
connection_read(11): TLS accept failure error=-1 id=1, closing
connection_closing: readying conn=1 sd=11 for close
connection_close: deferring conn=1 sd=11
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
conn=1 op=0 RESULT oid= err=0 text=
connection_resched: attempting closing conn=1 sd=11
connection_close: conn=1 sd=11
daemon: removing 11
conn=1 fd=11 closed (TLS negotiation failure)




Normally, slapd is started with:

/usr/sbin/slapd -h ldaps:/// ldap:/// -g openldap -u openldap -4

(In Debian with /etc/init.d/slapd, this is from ps aux).

Now I started with

slapd -h ldaps:/// ldap:/// -g openldap -u openldap -4 -d -1


But now I noticed also one very interesting thing: Starting slapd as
root makes everything work fine!

/usr/sbin/slapd -h ldaps:/// ldap:/// -4

But it would be very great if I could start slapd as "openldap" for
security reasons!

> Also give the actual version numbers of the OpenLDAP software
> in use, and your SSL library. I have no idea what Debian
> bundles in their releases.

# dpkg -s slapd | grep Version
Version: 2.3.30-5
# slapd -V
@(#) $OpenLDAP: slapd 2.3.30 (Mar  9 2007 05:43:02) $

root@windlord:/tmp/buildd/openldap2.3-2.3.30/debian/build/servers/slapd

# dpkg -s libssl0.9.8 | grep Version
Version: 0.9.8c-4
# dpkg -s openssl | grep Version
Version: 0.9.8c-4


Thank you very much again,
Niki