Bug#837341: libldap fails to connect to ldaps servers without the ca-certificates package installed

Sat, 10 Sep 2016 11:39:39 -0700 

Package: openldap
Version: 2.4.40+dfsg-1+deb8u2
The package libldap-2.4-2 ships a default configuration file for /etc/ldap/ldap.conf with the following: 


TLS_CACERT      /etc/ssl/certs/ca-certificates.crt



It appears that libldap fails to connect to any ldaps servers if the 
ca-certificates.crt file is missing, even if using 'TLS_REQCERT allow'. 
Installing the ca-certificates package allows the connection to succeed.



$ echo 'TLS_REQCERT allow' >> /etc/ldap/ldap.conf
$ ldapsearch -H ldaps://ldap/ -x -D 
uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ apt install ca-certificates
...
$ ldapsearch -H ldaps://ldap/ -x -D 
uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
ldap_bind: Invalid credentials (49)



I originally ran into this when setting up a Dovecot server within a 
Docker container, where the debian:jessie base image does not have the 
ca-certificates package installed, leading to some difficult to debug 
errors:



$ ldapsearch -H ldaps://ldap/ -x -D 
uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ ldapsearch -H ldaps://ldap/ -x -D 
uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x -d 255
ldap_url_parse_ext(ldaps://ldap/)
ldap_create
ldap_url_parse_ext(ldaps://ldap:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.2.1.3:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Where libldap does not even attempt to perform any SSL handshake:


21:02:24.925196 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [S], seq 2884225181, 
win 29200, options [mss 1460,sackOK,TS val 2056456265 ecr 0,nop,wscale 7], length 0
21:02:24.925699 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [S.], seq 4257908058, 
ack 2884225182, win 28960, options [mss 1460,sackOK,TS val 1581412247 ecr 
2056456265,nop,wscale 7], length 0
21:02:24.925736 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [.], ack 1, win 229, 
options [nop,nop,TS val 2056456265 ecr 1581412247], length 0
21:02:24.928955 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [F.], seq 1, ack 1, 
win 229, options [nop,nop,TS val 2056456266 ecr 1581412247], length 0
21:02:24.929761 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [.], ack 2, win 227, 
options [nop,nop,TS val 1581412252 ecr 2056456266], length 0
21:02:24.930484 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [F.], seq 1, ack 2, 
win 227, options [nop,nop,TS val 1581412252 ecr 2056456266], length 0
21:02:24.930505 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [.], ack 2, win 229, 
options [nop,nop,TS val 2056456266 ecr 1581412252], length 0


Looking at strace, the missing TLS_CACERT file appears to be the cause:


socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(636), 
sin_addr=inet_addr("10.2.1.3")}, 16) = 0
close(3)                                = 0
open("/dev/urandom", O_RDONLY)          = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 0}, ru_stime={0, 8000}, ...}) = 0
read(3, 
"\312\250\243\334\274\263,\243:\245\226\332f\235'\214\23\3417\206\235i\301\212\16?\360y\23\372\6\246",
 32) = 32
read(3, "U\243\221\4\2463\213\203\314[*r\250_6\345\2400\25\215\7:\vu\211 
\22\363\322j\324\254", 32) = 32
read(3, "\203%rS\3739\217_", 8)         = 8
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = -1 ENOENT (No such file 
or directory)
write(2, "ldap_sasl_bind(SIMPLE): Can't co"..., 55ldap_sasl_bind(SIMPLE): Can't 
contact LDAP server (-1)
) = 55
shutdown(4, SHUT_RDWR)                  = 0
close(4)                                = 0
close(3)                                = 0
exit_group(-1) = ?


Further logs here:


https://gist.github.com/SpComb/d4dcd44bca97fe2952a85833bccf7fc4



I suspect that the libldap package should have a Depends: on the 
ca-certificates package if this file is required for the correct 
operation of libldap?


 -- Tero Marttila























					Reply via email to