>Synopsis: ldapd resets TLS connections in OpenBSD 6.6
>Category: system
>Environment:
System : OpenBSD 6.6
Details : OpenBSD 6.6 (GENERIC.MP) #372: Sat Oct 12 10:56:27 MDT
2019
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
When you enable tls access in ldapd, StartTLS connections are reset.
ldaps and secure connections work fine.
The problem appeared after switching from 6.5 to 6.6.
Here is ldapd output.
$ doas ldapd -dvv
parsing config /etc/ldapd.conf
parsing schema file '/etc/ldap/core.schema'
parsing schema file '/etc/ldap/inetorgperson.schema'
parsing schema file '/etc/ldap/nis.schema'
loading certificate file /etc/ldap/certs/vlan10.crt
loading key file /etc/ldap/certs/vlan10.key
...
startup
parsing config /etc/ldapd.conf
parsing schema file '/etc/ldap/core.schema'
parsing schema file '/etc/ldap/inetorgperson.schema'
parsing schema file '/etc/ldap/nis.schema'
loading certificate file /etc/ldap/certs/vlan10.crt
loading key file /etc/ldap/certs/vlan10.key
listening on 192.168.1.1:389
opening namespace ...
ldape: entering event loop
accepted connection from 192.168.1.1 on fd 13
consumed 31 bytes
got request type 23, id 1
sending response 24 with result 2
consumed 7 bytes
got request type 2, id 2
current bind dn =
end-of-file on connection 13
closing connection 13
accepted connection from 192.168.1.1 on fd 13
consumed 31 bytes
got request type 23, id 1
sending response 24 with result 2
consumed 7 bytes
got request type 2, id 2
current bind dn =
end-of-file on connection 13
closing connection 13
accepted connection from 192.168.1.1 on fd 13
consumed 31 bytes
got request type 23, id 1
sending response 24 with result 2
consumed 7 bytes
got request type 2, id 2
current bind dn =
end-of-file on connection 13
And ldapsearch output:
$ ldapsearch -d 5 -x -Z -D "cn=root,dc=..." -H ldap://... -W
...
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ...:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ... 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x111f389848c0 msgid 1
wait4msg ld 0x111f389848c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x111f389848c0 msgid 1 all 1
** ld 0x111f389848c0 Connections:
* host: ... port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Oct 18 00:39:21 2019
** ld 0x111f389848c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x111f389848c0 request count 1 (abandoned 0)
** ld 0x111f389848c0 Response Queue:
Empty
ld 0x111f389848c0 response count 0
ldap_chkResponseList ld 0x111f389848c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x111f389848c0 NULL
ldap_int_select
read1msg: ld 0x111f389848c0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0x111f389848c0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x111f389848c0 0 new referrals
read1msg: mark request completed, ld 0x111f389848c0 msgid 1
request done: ld 0x111f389848c0 msgid 1
res_errno: 2, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Protocol error (2)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 50 bytes to sd 3
ldap_result ld 0x111f389848c0 msgid 2
wait4msg ld 0x111f389848c0 msgid 2 (infinite timeout)
wait4msg continue ld 0x111f389848c0 msgid 2 all 1
** ld 0x111f389848c0 Connections:
* host: ... port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Oct 18 00:39:27 2019
** ld 0x111f389848c0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x111f389848c0 request count 1 (abandoned 0)
** ld 0x111f389848c0 Response Queue:
Empty
ld 0x111f389848c0 response count 0
ldap_chkResponseList ld 0x111f389848c0 msgid 2 all 1
ldap_chkResponseList returns ld 0x111f389848c0 NULL
ldap_int_select
read1msg: ld 0x111f389848c0 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x111f389848c0 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x111f389848c0 0 new referrals
read1msg: mark request completed, ld 0x111f389848c0 msgid 2
request done: ld 0x111f389848c0 msgid 2
res_errno: 13, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Confidentiality required (13)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
>How-To-Repeat:
1. Enable tls access in ldap.conf:
listen on 192.168.1.1 tls certificate vlan10
2. Start ldapd as usual:
rcctl start ldapd
3. Connect with ldap client
>Fix:
return /usr/sbin/ldapd from OpenBSD 6.5.
dmesg:
OpenBSD 6.6 (GENERIC.MP) #372: Sat Oct 12 10:56:27 MDT 2019
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1859649536 (1773MB)
avail mem = 1790644224 (1707MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfba00 (23 entries)
bios0: vendor American Megatrends Inc. version "P1.30" date 01/12/2011
bios0: ASRock G41M-GS3
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB AAFT HPET GSCI SSDT
acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) UAR1(S4) USB0(S4) USB1(S4)
USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4)
P0P8(S4) P0P9(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 3000.10 MHz, 06-17-0a
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 2999.67 MHz, 06-17-0a
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 2999.70 MHz, 06-17-0a
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu2: 6MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5450 @ 3.00GHz, 2999.67 MHz, 06-17-0a
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu3: 6MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf0000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P2)
acpiprt2 at acpi0: bus -1 (P0P3)
acpiprt3 at acpi0: bus 3 (P0P1)
acpiprt4 at acpi0: bus 2 (P0P4)
acpiprt5 at acpi0: bus 1 (P0P5)
acpiprt6 at acpi0: bus -1 (P0P6)
acpiprt7 at acpi0: bus -1 (P0P7)
acpiprt8 at acpi0: bus -1 (P0P8)
acpiprt9 at acpi0: bus -1 (P0P9)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpicpu2 at acpi0: C1(@1 halt!), PSS
acpicpu3 at acpi0: C1(@1 halt!), PSS
acpipci0 at acpi0 PCI0: 0x00000010 0x00000011 0x00000000
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
cpu0: Enhanced SpeedStep 3000 MHz: speeds: 3003, 2670, 2336, 2003 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
inteldrm0: apic 4 int 16
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
pci1 at ppb0 bus 2
athn0 at pci1 dev 0 function 0 "Atheros AR9287" rev 0x01: apic 4 int 16
athn0: AR9287 rev 2 (2T2R), ROM rev 4, address 84:16:f9:fe:d6:84
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi
pci2 at ppb1 bus 1
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x03: RTL8168D/8111D (0x2800),
msi, address 00:25:22:b9:0d:9f
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 2
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 4 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 4 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 4 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 4 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 4 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci3 at ppb2 bus 3
rl0 at pci3 dev 1 function 0 "Realtek 8139" rev 0x10: apic 4 int 22, address
00:80:48:33:80:22
rlphy0 at rl0 phy 0: RTL internal PHY
pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel 0
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 4 int 19 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <OCZ-AGILITY4>
wd0: 16-sector PIO, LBA48, 122104MB, 250069680 sectors
wd1 at pciide1 channel 0 drive 1: <TOSHIBA DT01ACA200>
wd1: 16-sector PIO, LBA48, 1907729MB, 3907029168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
wd1(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 4 int 19
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
lm1 at wbsio0 port 0x290/8: W83627DHG
vmm0 at mainbus0: VMX (using slow L1TF mitigation)
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (dbe9d66501beb35e.a) swap on wd0b dump on wd0b
inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
usbdevs:
Controller /dev/usb0:
addr 01: 8086:0000 Intel, EHCI root hub
high speed, self powered, config 1, rev 1.00
driver: uhub0
Controller /dev/usb1:
addr 01: 8086:0000 Intel, UHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub1
Controller /dev/usb2:
addr 01: 8086:0000 Intel, UHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub2
Controller /dev/usb3:
addr 01: 8086:0000 Intel, UHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub3
Controller /dev/usb4:
addr 01: 8086:0000 Intel, UHCI root hub
full speed, self powered, config 1, rev 1.00
driver: uhub4
