[Date Prev][Date Next] [Chronological] [Thread] [Top]

Queries hang when using SSL



I'm trying to set up Linux clients to get user and group information
from an Active Directory. I'm running openldap 2.2.13 on Fedora Core 3.
I've got everything working, including pam-ldap and nss-ldap, but it all
fails when I turn SSL on.  I found that the reason for this is that when
I issue a query, it returns the results but then hangs. For example:

[root@ldaptest ~]# ldapsearch -H ldaps:///mail2.ammasso.com -D
"user@ammasso.com" -w password -x "msSFUName=mnuss"

# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: msSFUName=mnuss
# requesting: ALL
#

# Mike Nuss, IT, ammasso.com
dn: CN=Mike Nuss,OU=IT,DC=ammasso,DC=com
homeMDB: CN=Mailbox Store (MAIL2),CN=First Storage
Group,CN=InformationStore,C
N=MAIL2,CN=Servers,CN=First Administrative Group,CN=Administrative
Groups,CN=
Ammasso,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=ammasso,DC=com
memberOf: CN=IT,OU=IT,DC=ammasso,DC=com
altRecipientBL: CN=msdn ms,OU=IT,DC=ammasso,DC=com
altRecipientBL: CN=Administrator,CN=Users,DC=ammasso,DC=com
authOrigBL: CN=All-in-house,OU=IT,DC=ammasso,DC=com
authOrigBL: CN=ALL,OU=IT,DC=ammasso,DC=com
accountExpires: 9223372036854775807
adminCount: 1
badPasswordTime: 127590227433880495
badPwdCount: 0
codePage: 0
cn: Mike Nuss
countryCode: 0
displayName: Mike Nuss
mail: x
givenName: Mike
instanceType: 4
lastLogoff: 0
lastLogon: 127590227482473623
legacyExchangeDN: /o=Ammasso/ou=First Administrative
Group/cn=Recipients/cn=mn
uss
logonCount: 2432
distinguishedName: CN=Mike Nuss,OU=IT,DC=ammasso,DC=com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ammasso,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectGUID:: H3UUJsH390uKJcKjSrws7g==
objectSid:: AQUAAAAAAAUVAAAAnkB+FPiftHSDu8lViBAAAA==
primaryGroupID: 513
proxyAddresses: X400:c=US;a= ;p=Ammasso;o=Exchange;s=Nuss;g=Mike;
proxyAddresses: SMTP:x
proxyAddresses: smtp:x
proxyAddresses: smtp:x
pwdLastSet: 127590058371903891
name: Mike Nuss
sAMAccountName: mnuss
sAMAccountType: 805306368
showInAddressBook: CN=Default Global Address List,CN=All Global Address
Lists,
CN=Address Lists Container,CN=Ammasso,CN=Microsoft
Exchange,CN=Services,CN=Co
nfiguration,DC=ammasso,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists
Containe
r,CN=Ammasso,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=ammasso,DC
=com
sn: Nuss
telephoneNumber: x
textEncodedORAddress: c=US;a= ;p=Ammasso;o=Exchange;s=Nuss;g=Mike;
userAccountControl: 66048
userPrincipalName: x
uSNChanged: 14390040
uSNCreated: 935520
whenChanged: 20050426161717.0Z
whenCreated: 20040519153119.0Z
userCertificate:: x
userCertificate:: x
userCertificate:: x
mailNickname: mnuss
msExchUserAccountControl: 0
msExchALObjectVersion: 56
msExchHideFromAddressLists: FALSE
homeMTA: CN=Microsoft MTA,CN=MAIL2,CN=Servers,CN=First Administrative
Group,CN
=Administrative Groups,CN=Ammasso,CN=Microsoft
Exchange,CN=Services,CN=Config
uration,DC=ammasso,DC=com
msExchHomeServerName: /o=Ammasso/ou=First Administrative
Group/cn=Configuratio
n/cn=Servers/cn=MAIL2
msExchMailboxGuid:: aV8SeyvFZEKu0ZBqKioTNw==
msExchMailboxSecurityDescriptor:: x
mDBUseDefaults: TRUE
msExchPoliciesIncluded:
{518F24F0-CE99-478F-85F9-9D0076B2A8CB},{26491CFC-9E50-
4857-861B-0CB8DF22B5D7}
securityProtocol:: AAAAAA==
gecos: Mike Nuss
gidNumber: 500
loginShell: /bin/bash
msSFUHomeDirectory: /home/mnuss
msSFUName: mnuss
syncNisDomain: DOMAIN
uidNumber: 1044

# search reference
ref: ldap://ammasso.com/CN=Configuration,DC=ammasso,DC=com

It hangs there for about 15 minutes. Then, it prints out:

ldap_result: Can't contact LDAP server (-1)

If I issue the same query without ssl:

[root@ldaptest ~]# ldapsearch -H ldap:///mail2.ammasso.com -D
"user@ammasso.com" -w password -x "msSFUName=mnuss"

After the point where it hung using SSL, it shows the following:

search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

If I run it with -d 5, here is the debug output:

ldap_create
ldap_url_parse_ext(ldaps://mail2.ammasso.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP mail2.ammasso.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.2:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=mail2.ammasso.com, issuer:
/emailAddress=info@ammasso.com/C=US/ST=MA/L=Boston/O=Ammasso Inc/CN
=mail
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 0, err: 27, subject:
/CN=mail2.ammasso.com, issuer:
/emailAddress=info@ammasso.com/C=US/ST=MA/L=Boston/O=Ammasso Inc/CN
=mail
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject:
/CN=mail2.ammasso.com, issuer:
/emailAddress=info@ammasso.com/C=US/ST=MA/L=Boston/O=Ammasso Inc/CN
=mail
TLS certificate verification: Error, unable to verify the first certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 46 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
** Connections:
* host: mail2.ammasso.com  port: 636  (default)
 refcnt: 2  status: Connected
 last used: Wed Apr 27 22:40:07 2005

** Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
** Response Queue:
  Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "msSFUName=mnuss"
put_filter: default
put_simple_filter: "msSFUName=mnuss"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 63 bytes to sd 3
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: mail2.ammasso.com  port: 636  (default)
 refcnt: 2  status: Connected
 last used: Wed Apr 27 22:40:07 2005

** Outstanding Requests:
* msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
** Response Queue:
  Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 8765 contents:
ldap_read: message type search-entry msgid 2, original id 2
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
=> ldap_bv2dn(CN=Mike Nuss,OU=IT,DC=ammasso,DC=com,0)
<= ldap_bv2dn(CN=Mike Nuss,OU=IT,DC=ammasso,DC=com,0)=0
=> ldap_dn2bv(64)
<= ldap_dn2bv(Mike Nuss, IT, ammasso.com,64)=0
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
... (lots of those) ...
ldap_get_attribute_ber
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: mail2.ammasso.com  port: 636  (default)
 refcnt: 2  status: Connected
 last used: Wed Apr 27 22:40:07 2005

** Outstanding Requests:
* msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
** Response Queue:
  Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 64 contents:
ldap_read: message type search-reference msgid 2, original id 2
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: mail2.ammasso.com  port: 636  (default)
 refcnt: 2  status: Connected
 last used: Wed Apr 27 22:40:07 2005

** Outstanding Requests:
* msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
** Response Queue:
  Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type search-result msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_int_select

That's where it hangs.

Then, after about 15 minutes, I get:

read1msg: msgid -1, all 0
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server (-1)
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify

If I run it without SSL, I get this instead:

read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type search-result msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_err2string
ldap_msgfree
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed

Any ideas?

Thanks,
Mike