[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems getting ProFTPD to play nice with OpenLDAP via TLS

To: openLDAP-software@OpenLDAP.org
Subject: Problems getting ProFTPD to play nice with OpenLDAP via TLS
From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
Date: Thu, 6 May 2004 14:33:11 -0400

I posted a similar message to the proftpd lists but I'm sending it here in hopes someone here can help out as well.

First off, I can use the ldapsearch command on both the ldap server itself and the ftp server to get data off of the ldap server via TLS.

ldap.conf is configured as such:

BASE    o=ebitnetworks
URI     ldaps://trek.tor1.ebit.ca

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /usr/local/etc/openldap/cacert.pem
TLS_CERT        /usr/local/etc/openldap/newcert.pem
TLS_KEY         /usr/local/etc/openldap/newreq.pem
TLS_REQCERT     demand

 I have proftpd configured as such:

LDAPDoAuth                      on "o=people,o=ebitnetworks"
LDAPUseTLS                      on

When I was trying to get ldapsearch working with TLS, I needed to make a .ldaprc file for the user executing the command. Proftpd passes auth info to the ldap API in addition to what is in it's own config file. That being said, do I need to create a .ldaprc for the user "nobody" which is the user proftpd runs as?! :/

When I try to use proftpd with above mentioned configurations, I get this openldap error:

connection_get(13): got connid=4 connection_read(13): checking for input on id=4 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(13): got connid=4 connection_read(13): checking for input on id=4 TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data => ldap_dn2bv(16) <= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0 connection_get(13): got connid=4 connection_read(13): checking for input on id=4 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable) do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=1 oid= len=0 send_ldap_response: msgid=1 tag=120 err=1 ber_flush: 33 bytes to sd 13 connection_get(13): got connid=4 connection_read(13): checking for input on id=4 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 13 failed errno=0 (Undefined error: 0) connection_read(13): input error=-2 id=4, closing. connection_closing: readying conn=4 sd=13 for close connection_close: deferring conn=4 sd=13 do_unbind connection_resched: attempting closing conn=4 sd=13 connection_close: conn=4 sd=13 TLS trace: SSL3 alert write:warning:close notify connection_get(13): got connid=5 connection_read(13): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(13): got connid=5 connection_read(13): checking for input on id=5 TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data => ldap_dn2bv(16) <= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0 connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable) do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=1 oid= len=0 send_ldap_response: msgid=1 tag=120 err=1 ber_flush: 33 bytes to sd 13 connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 13 failed errno=0 (Undefined error: 0) connection_read(13): input error=-2 id=5, closing. connection_closing: readying conn=5 sd=13 for close connection_close: deferring conn=5 sd=13 do_unbind connection_resched: attempting closing conn=5 sd=13 connection_close: conn=5 sd=13 TLS trace: SSL3 alert write:warning:close notify connection_get(13): got connid=6 connection_read(13): checking for input on id=6 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(13): got connid=6 connection_read(13): checking for input on id=6 TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data => ldap_dn2bv(16) <= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0 connection_get(13): got connid=6 connection_read(13): checking for input on id=6 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable) do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=1 oid= len=0 send_ldap_response: msgid=1 tag=120 err=1 ber_flush: 33 bytes to sd 13 connection_get(13): got connid=6 connection_read(13): checking for input on id=6 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 13 failed errno=0 (Undefined error: 0) connection_read(13): input error=-2 id=6, closing. connection_closing: readying conn=6 sd=13 for close connection_close: deferring conn=6 sd=13 do_unbind connection_resched: attempting closing conn=6 sd=13 connection_close: conn=6 sd=13 TLS trace: SSL3 alert write:warning:close notify

and at the same time, proftpd is spitting this out:

su-2.05b# /usr/local/libexec/proftpd -c /usr/local/etc/proftpd/proftpd.conf -d 9 -n - parsing '/usr/local/etc/proftpd/proftpd.conf' configuration - FS: using system open() - FS: using system read() - FS: using system read() - dispatching auth request "getpwnam" to module mod_ldap - dispatching auth request "getpwnam" to module mod_auth_file - dispatching auth request "getpwnam" to module mod_auth_unix - dispatching auth request "getgrnam" to module mod_ldap - dispatching auth request "getgrnam" to module mod_auth_file - dispatching auth request "getgrnam" to module mod_auth_unix - <Directory />: adding section for resolved path '/' - FS: using system read() - FS: using system read() - FS: using system close() 69.90.17.218 - 69.90.17.218 - Config for eBit Networks Inc. FTP Server: 69.90.17.218 - / 69.90.17.218 - AllowOverwrite 69.90.17.218 - Umask 69.90.17.218 - DefaultServer 69.90.17.218 - Umask 69.90.17.218 - UserID 69.90.17.218 - UserName 69.90.17.218 - GroupID 69.90.17.218 - GroupName 69.90.17.218 - LDAPDoAuth 69.90.17.218 - LDAPUseTLS 69.90.17.218 - dispatching auth request "getgroups" to module mod_ldap 69.90.17.218 - dispatching auth request "getgroups" to module mod_auth_file 69.90.17.218 - dispatching auth request "getgroups" to module mod_auth_unix 69.90.17.218 - SETUP PRIVS at main.c:2704 69.90.17.218 - ROOT PRIVS at main.c:1956 69.90.17.218 - RELINQUISH PRIVS at main.c:1962 69.90.17.218 - ROOT PRIVS at main.c:2323 69.90.17.218 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard' 69.90.17.218 - RELINQUISH PRIVS at main.c:2347 69.90.17.218 - ROOT PRIVS at inet.c:402 69.90.17.218 - RELINQUISH PRIVS at inet.c:417 69.90.17.218 - ROOT PRIVS at inet.c:452 69.90.17.218 - RELINQUISH PRIVS at inet.c:510 69.90.17.218 - ProFTPD 1.2.9 (stable) (built Thu May 6 14:00:06 EDT 2004) standalone mode STARTUP 69.90.17.218 - ROOT PRIVS at main.c:2171 69.90.17.218 - RELINQUISH PRIVS at main.c:2177 69.90.17.218 - FS: using system lstat() 69.90.17.218 - FS: using system lstat() 69.90.17.218 - ROOT PRIVS at main.c:1150 69.90.17.218 - RELINQUISH PRIVS at main.c:1154 69.90.17.218 - FS: using system lstat() 69.90.17.218 (vista.tht.net[216.126.88.2]) - performing ident lookup 69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at inet.c:402 69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at inet.c:417 69.90.17.218 (vista.tht.net[216.126.88.2]) - ident lookup returned 'jlixfeld' 69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at main.c:977 69.90.17.218 (vista.tht.net[216.126.88.2]) - SETUP PRIVS at main.c:982 69.90.17.218 (vista.tht.net[216.126.88.2]) - performing module session initializations 69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at mod_auth.c:130 69.90.17.218 (vista.tht.net[216.126.88.2]) - opening scoreboard '/var/run/proftpd/proftpd.scoreboard' 69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at mod_auth.c:150 69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - local : 69.90.17.218:21 69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - remote : 216.126.88.2:65499 69.90.17.218 (vista.tht.net[216.126.88.2]) - FTP session opened. 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_core 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_core 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_auth 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endpwent" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endgrent" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'USER jlixfeld' to mod_ratio 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'USER jlixfeld' to mod_auth 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_file 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_unix 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching LOG_CMD command 'USER jlixfeld' to mod_log 69.90.17.218 - scrubbing scoreboard 69.90.17.218 - ROOT PRIVS at mod_core.c:194 69.90.17.218 - RELINQUISH PRIVS at mod_core.c:201 69.90.17.218 - ROOT PRIVS at mod_core.c:223 69.90.17.218 - RELINQUISH PRIVS at mod_core.c:251 69.90.17.218 - FS: using system lstat() 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_auth 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endpwent" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endgrent" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'PASS (hidden)' to mod_auth 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_file 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_unix 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for this connection. 69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: pr_ldap_connect(): Starting TLS failed: Operations error 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_auth_file 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_auth_unix 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_auth_file 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_auth_unix 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "auth" to module mod_ldap 69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for this connection. 69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: pr_ldap_connect(): Starting TLS failed: Operations error 69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "auth" to module mod_auth_pam ... pam fails and mod_auth_unix eventually kicks in and auths me out of the system passwd file.

Can anyone point me in the direction of where I may have possibly gone wrong in my configs?

Thanks in advance.

Prev by Date: AW: Regex access problem
Next by Date: Re: OpenLDAP 2.1 (?) on RedHat Enterprise summary
Index(es):
- Chronological
- Thread