On Sun, 06 Aug 2006 17:10:24 -0600 Michael Berg <[EMAIL PROTECTED]> wrote:
> Package: slapd > Version: 2.3.25-1 > Severity: normal > > I've had this problem in both slapd 2.3.24-2 and 2.3.25-1. > When slapd is running as root, everything works perfectly. But when running > as a non-root user (like the new default "openldap"), TLS connections fail. > This effects both port 389+starttls and port 636. > > When slapd is running as root, the command > "openssl s_client -connect 127.0.0.1:636 -CAfile > /etc/ssl/certs/mydomain.dyndns.org_CA.pem" > successfully establishes a TLSv1 connection to the SSL/TLS port. > > When slapd is running as the "openldap" user and group, > the same command produces the following: > ========== > CONNECTED(00000003) > depth=1 /C=US/O=mydomain/OU=Certificate > Authority/L=MyCity/ST=MyState/CN=mydomain.dyndns.org > verify return:1 > depth=0 /C=US/O=mydomain/OU=LDAP > Server/L=MyCity/ST=MyState/CN=ldap.mydomain.dyndns.org > verify return:1 > 1878:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1057:SSL alert number 40 > 1878:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > ========== > > > ldapsearch and most other packages on my system are configured to use port > 389+starttls > ========== > $ ldapsearch -x -ZZ > > ldap_start_tls: Connect error (-11) > additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > alert handshake failure > ========== > (This same command succeeds when slapd is running as root) > > > Just to make sure slapd is working: > ========== > $ ldapsearch -x > > # search result > search: 2 > result: 13 Confidentiality required > text: confidentiality required > > # numResponses: 1 > ========== > (which shows that slapd is running, and is requiring confidentiality as > configured) > > > And if I disable the requirement for confidentiality in slapd.conf, > "ldapsearch -x" successfully returns everything that is should from the LDAP > database. > > > I've made sure that everything listed in slapd's README.Debian.gz for > "Running slapd under a different uid/gid" holds true. > - openldap user and group are present in the system passwd/group files > $ getent passwd openldap > openldap:x:100:121:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false > $getent group openldap > openldap:x:121: > - SLAPD_USER and SLAPD_GROUP are both set to "openldap" in > /etc/default/slapd. > - /var/lib/ldap and all files in it have user:group of openldap:openldap. > - Permissions and user:group on slapd.conf have been set to > -rw-r----- root:openldap > - Permissions and user:group on /var/run/slapd are > drwxr-xr-x openldap:openldap > > The SSL/TLS private cert is in a location readable by the openldap user and > group. > The SSL/TLS public cert is in a location readable by everyone on the system. > > > The TLS-relevant portions of my slapd.conf are > ========== > # TLS configuration > TLSCipherSuite HIGH:!ADH > TLSCACertificateFile /etc/ssl/certs/mydomain.dyndns.org_CA.pem > TLSCertificateFile /etc/ssl/certs/ldap.mydomain.dyndns.org.pem > TLSCertificateKeyFile /etc/ldap/private/ldap.mydomain.dyndns.org.pem > TLSCRLCheck none > TLSVerifyClient never > # Require at least 128 bit encryption for all operations > security ssf=128 > ========== > > > And just for completeness, here are the contents of my ldap.conf file that > ldap clients use > ========== > BASE dc=mydomain,dc=dyndns,dc=org > URI ldap://ldap.mydomain.dyndns.org > TLS_CIPHER_SUITE HIGH:!ADH > TLS_CACERT /etc/ssl/certs/mydomain.dyndns.org_CA.pem > TLS_REQCERT demand > TLS_CRLCHECK none > ========== > This is the complete content of ldap.conf on the clients ? > > I even tried purging slapd, reinstalling it, and re-populating it from scratch > (I didn't just reload a DB backup). > > The fresh install worked fine as non-root until a reboot - at which point the > problem described above returned and TLS connections fail. > That's strange. > I've tried running slapd with various debug levels and with strace - looking > for > problems opening any files or other errors, but if it's in there, I'm not > seeing it. > > > Several of the search results for "error:14094410:SSL" mention client > certificates, > but I've specified "TLSVerifyClient never" in slapd.conf and it still doesn't > explain > why this behavior only shows up when running as non-root. > > If there is any specific debug output (slapd -d, strace, ltrace, gdb, etc) > you need > to help diagnose the cause, just let me know and I'd by happy to provide it. > I've just tried with the same TLS settings and I can't reproduce the problem somehow. User is openldap group is openldap all permissions are fine: [EMAIL PROTECTED] # ldapsearch -x-ZZ # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # numResponses: 3 # numEntries: 2 [EMAIL PROTECTED] # ldapsearch -x # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 13 Confidentiality required text: confidentiality required # numResponses: 1 -- Can you please send the output of: ldapsearch -x -ZZ -d 7 Regards, Matthijs Mohlmann
signature.asc
Description: PGP signature
