Your message dated Wed, 25 Mar 2020 11:43:05 -0700
with message-id <20200325184305.ga25...@t570.nardis.ca>
and subject line Re: Bug#807922: slapd: Unable to use olcTLSVerifyClient
has caused the Debian Bug report #807922,
regarding slapd: Unable to use olcTLSVerifyClient
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807922
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: slapd
Version: 2.4.40+dfsg-1+deb8u1
Severity: important


Hi everyone.

>From a fresh install (the server is a virtual machine with VirtualBox), after 
>basic configuration of slapd, without any configuration other than those make 
>by apt-get, with no special data I can add this piece of ldif

        dn: cn=config
        changeType: modify
        add: olcTLSVerifyClient
        olcTLSVerifyClient: never
        -

I always got a 

root@debian:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f toto.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

and the debug file containt (with LogLevel:1)

Dec 14 15:04:12 debian slapd[3597]: slap_listener_activate(11):
Dec 14 15:04:12 debian slapd[3597]: >>> slap_listener(ldapi:///)
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on 
id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x60, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=0 do_bind
Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <>
Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
Dec 14 15:04:12 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
Dec 14 15:04:12 debian slapd[3597]: ==>slap_sasl2dn: converting SASL name 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
Dec 14 15:04:12 debian slapd[3597]: <==slap_sasl2dn: Converted SASL name to 
<nothing>
Dec 14 15:04:12 debian slapd[3597]: SASL Authorize [conn=1031]:  proxy 
authorization allowed authzDN=""
Dec 14 15:04:12 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
Dec 14 15:04:12 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: 
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=1 tag=97 err=0
Dec 14 15:04:12 debian slapd[3597]: <== slap_sasl_bind: rc=0
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on 
id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x66, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=1 do_modify
Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, <cn=config>
Dec 14 15:04:12 debian slapd[3597]: oc_check_required entry (cn=config), 
objectClass "olcGlobal"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "objectClass"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "cn"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcArgsFile"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcPidFile"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcToolThreads"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type 
"structuralObjectClass"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryUUID"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "creatorsName"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "createTimestamp"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcConnMaxPending"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcLogLevel"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcTLSVerifyClient"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryCSN"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "modifiersName"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "modifyTimestamp"
Dec 14 15:04:12 debian slapd[3597]: send_ldap_result: conn=1031 op=1 p=3
Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=2 tag=103 err=53
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on 
id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x42, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: ber_get_next on fd 13 failed errno=0 
(Success)
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=2 do_unbind
Dec 14 15:04:12 debian slapd[3597]: connection_close: conn=1031 sd=13
Dec 14 15:04:58 debian slapd[3597]: slap_listener_activate(11):
Dec 14 15:04:58 debian slapd[3597]: >>> slap_listener(ldapi:///)
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on 
id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x60, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=0 do_bind
Dec 14 15:04:58 debian slapd[3597]: >>> dnPrettyNormal: <>
Dec 14 15:04:58 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
Dec 14 15:04:58 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
Dec 14 15:04:58 debian slapd[3597]: ==>slap_sasl2dn: converting SASL name 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
Dec 14 15:04:58 debian slapd[3597]: <==slap_sasl2dn: Converted SASL name to 
<nothing>
Dec 14 15:04:58 debian slapd[3597]: SASL Authorize [conn=1032]:  proxy 
authorization allowed authzDN=""
Dec 14 15:04:58 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
Dec 14 15:04:58 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: 
dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
Dec 14 15:04:58 debian slapd[3597]: send_ldap_response: msgid=1 tag=97 err=0
Dec 14 15:04:58 debian slapd[3597]: <== slap_sasl_bind: rc=0
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on 
id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x63, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=1 do_search
Dec 14 15:04:58 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
Dec 14 15:04:58 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, <cn=config>
Dec 14 15:04:58 debian slapd[3597]: ==> limits_get: conn=1032 op=1 
self="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" this="cn=config"
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn=module{0},cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn={0}core,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn={1}cosine,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn={2}nis,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="cn={3}inetorgperson,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="olcBackend={0}mdb,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="olcDatabase={-1}frontend,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="olcDatabase={0}config,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 
dn="olcDatabase={1}mdb,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: send_ldap_result: conn=1032 op=1 p=3
Dec 14 15:04:58 debian slapd[3597]: send_ldap_response: msgid=2 tag=101 err=0
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on 
id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x42, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: ber_get_next on fd 13 failed errno=0 
(Success)
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=2 do_unbind
Dec 14 15:04:58 debian slapd[3597]: connection_close: conn=1032 sd=13

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.23-4
ii  debconf [debconf-2.0]       1.5.56
ii  libc6                       2.19-18+deb8u1
ii  libdb5.3                    5.3.28-9
ii  libgnutls-deb0-28           3.3.8-6+deb8u3
ii  libldap-2.4-2               2.4.40+dfsg-1+deb8u1
ii  libltdl7                    2.4.2-1.11
ii  libodbc1                    2.3.1-3
ii  libperl5.20                 5.20.2-3+deb8u1
ii  libsasl2-2                  2.1.26.dfsg1-13+deb8u1
ii  libslp1                     1.2.1-10+deb8u1
ii  libwrap0                    7.6.q-25
ii  lsb-base                    4.1+Debian13+nmu1
ii  multiarch-support           2.19-18+deb8u1
ii  perl [libmime-base64-perl]  5.20.2-3+deb8u1
ii  psmisc                      22.21-2

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.26.dfsg1-13+deb8u1

Versions of packages slapd suggests:
ii  ldap-utils                                             2.4.40+dfsg-1+deb8u1
pn  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi  <none>

-- debconf information:
* slapd/password1: (password omitted)
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
  slapd/password_mismatch:
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/upgrade_slapcat_failure:
  slapd/unsafe_selfwrite_acl:
* slapd/no_configuration: false
* slapd/move_old_database: true
  slapd/invalid_config: true
* slapd/purge_database: true
* slapd/allow_ldap_v2: false
* slapd/domain: moi.fr
  slapd/dump_database: when needed
* slapd/backend: MDB
* shared/organization: moi.fr

--- End Message ---
--- Begin Message ---
Hello,

On Mon, 4 Jan 2016 17:39:24 +0100 Albert Shih <albert.s...@obspm.fr> wrote:
In fact I find the « problem ». I don't known if it's really a bug, a
« not_very_user_friendly_feature » or thing like that.

They are two points :

 1/ I need to add those olc* in a specific order, if I don't I get those
 insult (unwilling to perform)

This is an intentional choice by upstream, that you have to activate the TLS engine (by configuring a certificate and private key) first, before configuring other TLS settings.

That can be accomplished in a single LDIF changeset:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/cert.pem
-
add: olcTLSCertificateKeyFile:
olcTLSCertificateKeyFile: /path/to/priv.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

but the order still has to be respected.

 2/ If those files (certificat-private-key, ca-chain, certificat) are not
 readeable WHEN the daemon start, changing the right/owner (by
 chmod/chown) don't change anything. That's mean if when the slapd daemon
 start, I got the wrong owner of the private key, I need to restart the
 daemon AFTER changing the owner.

I don't quite understand this one. If TLS is configured, but some file is not readable, slapd refuses to start at all - so yes, you have to fix the permissions and then try again to start it. But if slapd is already running, and you are configuring TLS for the first time, then this works fine:

cat > tls.ldif << EOF
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /path/to/cert.pem
-
add: olcTLSCertificateKeyFile:
olcTLSCertificateKeyFile: /path/to/priv.key
EOF

chmod 000 /path/to/priv.key

ldapmodify -H ldapi:// -QY EXTERNAL -f tls.ldif
(fails because priv.key is not readable)

chmod 640 /path/to/priv.key

ldapmodify -H ldapi:// -QY EXTERNAL -f tls.ldif
(succeeds this time, now TLS works)

I think things are working as intended here, so I'm closing this bug; but feel free to reopen it, or open a new one, if you believe there is something that actually needs fixing in slapd.

thanks,
Ryan

--- End Message ---

Reply via email to