[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems using StartTls with openldap-2.4.31

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Problems using StartTls with openldap-2.4.31
From: Andrei Cipu <andrei.cipu@yahoo.com>
Date: Fri, 6 Jun 2014 15:41:49 -0700 (PDT)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1402094509; bh=ors+8WW7p+NF6SF2grmLW+wCsOtoTQytuPusSHPY5/0=; h=Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=oFfxYy6XeONBhdoDYt8jAfVn5qf26uimSFyZ5wtcUaGDSaEBjHgElv/YLpfhQ4EAfOooslfNQNoF0+xSV4SqSbpbdoBRuQtRhTIPND1McsIsPw4SHdnFBlb2zEjiz0IW7na6M43feAV5H1+U/d/udOqc2dF+8FrDOPgtZ+BIIWc=

Hi all,

I'm using openldap-2.4.31 compiled with gnutls25 on Rapsbmc (pre-compiled by the distribution) and I'm trying to make ldap+StartTls work with ldapsearch (simple ldap:// works like a charm).

After hitting the issue described at [1] , I've decided to use a self-signed CA cert generated with certtool, as described in [2]. This allowed me to establish the TLS connection. However, the client still sends the bind in clear text, then the server closes the connection.

The slapd.conf file is below (comments stripped; the client has the same CACert and cipher suites):
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/samba.schema
> 
> pidfile         /var/run/slapd/slapd.pid
> 
> argsfile        /var/run/slapd/slapd.args
> 
> loglevel        -1
> 
> modulepath    /usr/lib/ldap
> moduleload    back_hdb
> 
> sizelimit 500
> 
> tool-threads 1
> 
> TLSCACertificateFile /etc/ldap/certs/selfsign/ca-cert.pem
> TLSCertificateKeyFile /etc/ldap/certs/selfsign/key.pem
> TLSCertificateFile /etc/ldap/certs/selfsign/cert.pem
> TLSCipherSuite NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-ALL:+AES-256-CBC:+CAMELLIA-256-CBC:+RSA:+SHA1:+SHA256
> TLSVerifyClient never

The client output:

> root@argyle:/home/pi# ldapsearch -x -H ldap://127.0.0.1 -Z -b 'dc=strainu,dc=ro' -Dcn=admin,dc=strainu,dc=ro -w bla
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_result: Can't contact LDAP server (-1)

And finally the server output:

> root@argyle:/etc/ldap# /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d -1
> 53923fb1 @(#) $OpenLDAP: slapd  (Apr 24 2013 17:35:25) $
        buildd@build07.raspbian.lan:/build/openldap-nxJLrU/openldap-2.4.31/debian/build/servers/slapd
> ldap_pvt_gethostbyname_a: host=argyle, r=0
> 53923fb1 daemon_init: <null>
> 53923fb1 daemon_init: listen on ldap:///
> 53923fb1 daemon_init: 1 listeners to open...
> ldap_url_parse_ext(ldap:///)
> 53923fb1 daemon: listener initialized ldap:///
> 53923fb1 daemon_init: 2 listeners opened
> ldap_create
> 53923fb1 slapd init: initiated server.
> 
> [...]
> 
> 53923ffe connection_read(12): unable to get TLS client DN, error=49 id=1000
> 53923ffe conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
> 53923ffe daemon: activity on 1 descriptor
> 53923ffe daemon: activity on:53923ffe 
> 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
> 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
> 53923ffe daemon: activity on 1 descriptor
> 53923ffe daemon: activity on:53923ffe  12r53923ffe 
> 53923ffe daemon: read active on 12
> 53923ffe connection_get(12)
> 53923ffe connection_get(12): got connid=1000
> 53923ffe connection_read(12): checking for input on id=1000
> ber_get_next
> tls_read: want=5, got=5
>   0000:  30 33 02 01 02                                     03...             
> ldap_read: want=8 error=Success
> 53923ffe ber_get_next on fd 12 failed errno=0 (Success)
> 53923ffe connection_read(12): input error=-2 id=1000, closing.
> 53923ffe connection_closing: readying conn=1000 sd=12 for close
> 53923ffe connection_close: conn=1000 sd=12
> 53923ffe daemon: removing 12
> tls_write: want=53, written=53
>   0000:  15 03 03 00 30 c2 bb c0  ae 12 fa 04 27 45 11 6e   ....0.......'E.n  
>   0010:  d7 08 20 97 49 59 0b 35  c5 77 2d b5 65 a0 97 a4   .. .IY.5.w-.e...  
>   0020:  b0 3a eb aa b1 e7 71 8b  3e 0c 73 60 e3 9b 66 8c   .:....q.>.s`..f.  
>   0030:  f8 94 e0 c6 50                                     ....P             
> 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
> 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
> 53923ffe daemon: activity on 1 descriptor
> 53923ffe daemon: activity on:53923ffe 
> 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
> 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
> 53923ffe conn=1000 fd=12 closed (connection lost)

As you can see, the server declares the TLS established, then tries to read something, receives 5 bytes which indicates the ldap protocol (I believe), then comes the part I can't decode:
> ldap_read: want=8 error=Success
> 53923ffe ber_get_next on fd 12 failed errno=0 (Success)
> 53923ffe connection_read(12): input error=-2 id=1000, closing.

What's with the "failed errno=0" and why does the server close the connection? What should I change in the config to make it work? If you need any more information I'll provide it - I selected the part that seemed relevant to me.

Thank a lot for any ideas,
   Andrei



[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921#25
[2] http://www.gnutls.org/manual/html_node/certtool-Invocation.html

Follow-Ups:
- Re: Problems using StartTls with openldap-2.4.31
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: AD pass through to Openladp?
Next by Date: Re: Problems using StartTls with openldap-2.4.31
Index(es):
- Chronological
- Thread