Full_Name: Frederic POISSON Version: 2.4.36 OS: RHEL 6.2 URL: ftp://ftp.openldap.org/incoming/slapcat_cn_config.ldif ftp://ftp.openldap.org/incoming/slapd_debug_255.txt ftp://ftp.openldap.org/incoming/gdb_output.txt Submission from: (NULL) (57.250.229.136) I'm testing the latest release of OpenLDAP 2.4.36 and my slapd crash while i'm doing a change on cn=config. My tests are with my own compilation of OpenLDAP on a RHEL6 server but i see the same problem with "LTB project RPMs" http://ltb-project.org/wiki/download#openldap with RHEL6 package. My aim is to modify cn=config like this in order to implement TLS, here is my ldap modify command with ldif : # /usr/local/openldap/bin/ldapmodify -f /tmp/ldif -h "localhost" -p "25389" -D "cn=root DN,cn=config" -w "secret" modifying entry "cn=config" ldap_result: Can't contact LDAP server (-1) # cat /tmp/ldif dn: cn=config changetype: modify add: olcTLSRandFile olcTLSRandFile: /dev/random The server shutdown when i add this entry and with slapd option "-d 255" i have : slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)' failed. /etc/init.d/slapd: line 285: 5461 Aborted $SLAPD_BIN -h "$SLAPD_SERVICES" $SLAPD_PARAMS Notice that i test this ldif modification on release 2.4.35 without problem. I put on your ftp three files, the file slapcat_cn_config.ldif corresponding to configuration, the file slapd_debug_255.txt which correspond to the slapd process with debug set to 255 with only the part corresponding to the moment i launch ldapmodify action, the file gdb_output.txt corresponding to the full backtrace i run when doing the ldapmodify action. And so the credentials are "cn=root DN,cn=config" with password secret.
frederic.poisson@admin.gmessaging.net wrote: > Full_Name: Frederic POISSON > Version: 2.4.36 > OS: RHEL 6.2 > URL: ftp://ftp.openldap.org/incoming/slapcat_cn_config.ldif ftp://ftp.openldap.org/incoming/slapd_debug_255.txt ftp://ftp.openldap.org/incoming/gdb_output.txt > Submission from: (NULL) (57.250.229.136) Thanks for the report, this is now fixed in git master. > > I'm testing the latest release of OpenLDAP 2.4.36 and my slapd crash while i'm > doing a change on cn=config. > My tests are with my own compilation of OpenLDAP on a RHEL6 server but i see the > same problem with "LTB project RPMs" > http://ltb-project.org/wiki/download#openldap with RHEL6 package. > My aim is to modify cn=config like this in order to implement TLS, here is my > ldap modify command with ldif : > # /usr/local/openldap/bin/ldapmodify -f /tmp/ldif -h "localhost" -p "25389" -D > "cn=root DN,cn=config" -w "secret" > modifying entry "cn=config" > ldap_result: Can't contact LDAP server (-1) > > # cat /tmp/ldif > dn: cn=config > changetype: modify > add: olcTLSRandFile > olcTLSRandFile: /dev/random > > The server shutdown when i add this entry and with slapd option "-d 255" i have > : > slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)' > failed. > /etc/init.d/slapd: line 285: 5461 Aborted $SLAPD_BIN -h > "$SLAPD_SERVICES" $SLAPD_PARAMS > > Notice that i test this ldif modification on release 2.4.35 without problem. > > I put on your ftp three files, the file slapcat_cn_config.ldif corresponding to > configuration, the file slapd_debug_255.txt which correspond to the slapd > process with debug set to 255 with only the part corresponding to the moment i > launch ldapmodify action, the file gdb_output.txt corresponding to the full > backtrace i run when doing the ldapmodify action. > > And so the credentials are "cn=root DN,cn=config" with password secret. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
Hello all, Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations. First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER; Now when i only add or replace attribute olcTLSRandFile on cn=config i have : ldap_modify: Server is unwilling to perform (53) When i replace following values in this order with 4 actions/operations or with a single action/operation it works : dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem - replace: olcTLSRandFile olcTLSRandFile: /dev/random But it don't works with olcTLSRandfile if do (add or replace) first, why ? What do you need for investigation ? Regards, Le 30/08/13, Howard Chu <hyc@symas.com> a écrit : > frederic.poisson@admin.gmessaging.net wrote: > >Full_Name: Frederic POISSON > >Version: 2.4.36 > >OS: RHEL 6.2 > >URL: ftp://ftp.openldap.org/incoming/slapcat_cn_config.ldif ftp://ftp.openldap.org/incoming/slapd_debug_255.txt ftp://ftp.openldap.org/incoming/gdb_output.txt > >Submission from: (NULL) (57.250.229.136) > > Thanks for the report, this is now fixed in git master. > > > >I'm testing the latest release of OpenLDAP 2.4.36 and my slapd crash while i'm > >doing a change on cn=config. > >My tests are with my own compilation of OpenLDAP on a RHEL6 server but i see the > >same problem with "LTB project RPMs" > >http://ltb-project.org/wiki/download#openldap with RHEL6 package. > >My aim is to modify cn=config like this in order to implement TLS, here is my > >ldap modify command with ldif : > ># /usr/local/openldap/bin/ldapmodify -f /tmp/ldif -h "localhost" -p "25389" -D > >"cn=root DN,cn=config" -w "secret" > >modifying entry "cn=config" > >ldap_result: Can't contact LDAP server (-1) > > > ># cat /tmp/ldif > >dn: cn=config > >changetype: modify > >add: olcTLSRandFile > >olcTLSRandFile: /dev/random > > > >The server shutdown when i add this entry and with slapd option "-d 255" i have > >: > >slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)' > >failed. > >/etc/init.d/slapd: line 285: 5461 Aborted $SLAPD_BIN -h > >"$SLAPD_SERVICES" $SLAPD_PARAMS > > > >Notice that i test this ldif modification on release 2.4.35 without problem. > > > >I put on your ftp three files, the file slapcat_cn_config.ldif corresponding to > >configuration, the file slapd_debug_255.txt which correspond to the slapd > >process with debug set to 255 with only the part corresponding to the moment i > >launch ldapmodify action, the file gdb_output.txt corresponding to the full > >backtrace i run when doing the ldapmodify action. > > > >And so the credentials are "cn=root DN,cn=config" with password secret. > > > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > -- Frederic Poisson
Hello all, Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations. First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER; Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : ldap_modify: Server is unwilling to perform (53) When i replace following values in this order with 4 actions/operations or with a single action/operation it works : dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem - replace: olcTLSRandFile olcTLSRandFile: /dev/random But it don't works with only olcTLSRandfile if i do an add or replace first, why ? What do you need for investigation ? Regards, PS: Sorry this is my second post for a better reading... -- Frederic Poisson
"POISSON Frédéric" wrote: > Hello all, > > Thanks first for the patch, i have applied it on my own build of 2.4.36 but i > have now a strange behavior, the slapd do not crash but it refused operations. > > First here is the diff after applying the patch : > $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c > ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig > 3795d3794 > < slap_tls_ctx = NULL; > 3804,3808d3802 > < } else { > < if ( rc == LDAP_NOT_SUPPORTED ) > < rc = LDAP_UNWILLING_TO_PERFORM; > < else > < rc = LDAP_OTHER; > > Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : > > ldap_modify: Server is unwilling to perform (53) > > > When i replace following values in this order with 4 actions/operations or > with a single action/operation it works : > > dn: cn=config > changetype: modify > replace: olcTLSCACertificateFile > olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem > - > replace: olcTLSCertificateFile > olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem > - > replace: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem > - > replace: olcTLSRandFile > olcTLSRandFile: /dev/random > > But it don't works with only olcTLSRandfile if i do an add or replace first, why ? > > What do you need for investigation ? There's nothing to investigate, this works as designed. The config engine requires your TLS configuration to be valid when you configure it. That means at a minimum you must configure a server cert and key. If you only configure the randfile and nothing else, the config is rejected. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Ok thanks, i will use as you explain. Regards, Le 03/09/13, hyc@symas.com a écrit : > "POISSON Frédéric" wrote: > > Hello all, > > > > Thanks first for the patch, i have applied it on my own build of 2.4.36 but i > > have now a strange behavior, the slapd do not crash but it refused operations. > > > > First here is the diff after applying the patch : > > $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c > > ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig > > 3795d3794 > > < slap_tls_ctx = NULL; > > 3804,3808d3802 > > < } else { > > < if ( rc == LDAP_NOT_SUPPORTED ) > > < rc = LDAP_UNWILLING_TO_PERFORM; > > < else > > < rc = LDAP_OTHER; > > > > Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : > > > > ldap_modify: Server is unwilling to perform (53) > > > > > > When i replace following values in this order with 4 actions/operations or > > with a single action/operation it works : > > > > dn: cn=config > > changetype: modify > > replace: olcTLSCACertificateFile > > olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem > > - > > replace: olcTLSCertificateFile > > olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem > > - > > replace: olcTLSCertificateKeyFile > > olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem > > - > > replace: olcTLSRandFile > > olcTLSRandFile: /dev/random > > > > But it don't works with only olcTLSRandfile if i do an add or replace first, why ? > > > > What do you need for investigation ? > > There's nothing to investigate, this works as designed. The config engine > requires your TLS configuration to be valid when you configure it. That means > at a minimum you must configure a server cert and key. If you only configure > the randfile and nothing else, the config is rejected. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > -- Frederic Poisson
Hello, I have another question now. How do we remove TLS configuration parameter inside cn=config if my daemon do no more listen on ldaps ? I have tested to remove only the certificates but i have a "Server is unwilling to perform (53)" with that ldif : dn: cn=config changetype: modify delete: olcTLSCACertificateFile - delete: olcTLSCertificateFile - delete: olcTLSCertificateKeyFile What are the recommandations for that type of operation on cn=config ? Regards, Le 03/09/13, hyc@symas.com a écrit : > "POISSON Frédéric" wrote: > > Hello all, > > > > Thanks first for the patch, i have applied it on my own build of 2.4.36 but i > > have now a strange behavior, the slapd do not crash but it refused operations. > > > > First here is the diff after applying the patch : > > $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c > > ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig > > 3795d3794 > > < slap_tls_ctx = NULL; > > 3804,3808d3802 > > < } else { > > < if ( rc == LDAP_NOT_SUPPORTED ) > > < rc = LDAP_UNWILLING_TO_PERFORM; > > < else > > < rc = LDAP_OTHER; > > > > Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : > > > > ldap_modify: Server is unwilling to perform (53) > > > > > > When i replace following values in this order with 4 actions/operations or > > with a single action/operation it works : > > > > dn: cn=config > > changetype: modify > > replace: olcTLSCACertificateFile > > olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem > > - > > replace: olcTLSCertificateFile > > olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem > > - > > replace: olcTLSCertificateKeyFile > > olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem > > - > > replace: olcTLSRandFile > > olcTLSRandFile: /dev/random > > > > But it don't works with only olcTLSRandfile if i do an add or replace first, why ? > > > > What do you need for investigation ? > > There's nothing to investigate, this works as designed. The config engine > requires your TLS configuration to be valid when you configure it. That means > at a minimum you must configure a server cert and key. If you only configure > the randfile and nothing else, the config is rejected. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > -- Frederic Poisson
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed