subject:"Bug#861838\: ldap\-utils\: ldapsearch and ldapwhoami cannot connect to ldaps server"

Bug#861838: ldap-utils: ldapsearch and ldapwhoami cannot connect to ldaps server

2017-05-05 Thread Ryan Tandy


Control: tag -1 = confirmed
Control: found -1 2.4.44+dfsg-4
Control: retitle -1 long list of acceptable CA names breaks libldap

OK, I have reproduced this. On Debian:

apt-get install ldap-utils slapd ssl-cert

adduser openldap ssl-cert

sed -i 's,^SLAPD_SERVICES=.*,SLAPD_SERVICES="ldap:// ldapi:// ldaps://",' 
/etc/default/slapd

service slapd restart

ldapmodify -H ldapi:// -Y EXTERNAL << EOF
dn: cn=config
add: olcTLSVerifyClient
olcTLSVerifyClient: allow
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key

EOF

# prints a long list of acceptable CA names
openssl s_client -CAfile /etc/ssl/certs/ssl-cert-snakeoil.pem -connect 
localhost:636 -showcerts

# should succeed, but fails
LDAPTLS_CACERT=/etc/ssl/certs/ssl-cert-snakeoil.pem ldapwhoami -ZZ -x

I should note that I rebuilt libldap and clients against OpenSSL and the 
same works. However, gnutls-cli also works for me, so this problem 
appears to be specific to libldap's GnuTLS support.

Bug#861838: ldap-utils: ldapsearch and ldapwhoami cannot connect to ldaps server

2017-05-04 Thread root

Package: ldap-utils
Version: 2.4.40+dfsg-1+deb8u2
Severity: normal

Dear Maintainer,

On a fresh install of Debian 8,  I cannot get ldapsearch or ldapwhoami to 
connect to an LDAPS
server.  There appears to be some TLS happening, and a connections is made, 
but then it fails without any useful error messages on debug level 1.


contents of /etc/ldap/ldap.conf:

TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

# MattW 04/19/2017 - Added the following
TLS_REQCERT  allow
SSL start_tls



root@ldi-deb8-test:~/UW-LDI# !ldapsearch
ldapsearch -d1  -Z  -H ldap://ldi.s.uw.edu -W  -D 
cn=unitAdmin,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu -LLL -s base -b 
cn=unitAdmin,ou=auth,ou=csde,dc=ldi,dc=uw,dc=edu
ldap_url_parse_ext(ldap://ldi.s.uw.edu)
ldap_create
ldap_url_parse_ext(ldap://ldi.s.uw.edu:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldi.s.uw.edu:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 69.91.245.42:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 4
ldap_result ld 0x7f9918572860 msgid 1
wait4msg ld 0x7f9918572860 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f9918572860 msgid 1 all 1
** ld 0x7f9918572860 Connections:
* host: ldi.s.uw.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 08:08:31 2017


** ld 0x7f9918572860 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f9918572860 request count 1 (abandoned 0)
** ld 0x7f9918572860 Response Queue:
   Empty
  ld 0x7f9918572860 response count 0
ldap_chkResponseList ld 0x7f9918572860 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f9918572860 NULL
ldap_int_select
read1msg: ld 0x7f9918572860 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7f9918572860 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f9918572860 0 new referrals
read1msg:  mark request completed, ld 0x7f9918572860 msgid 1
request done: ld 0x7f9918572860 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 74 bytes to sd 4
ldap_result ld 0x7f9918572860 msgid 2
wait4msg ld 0x7f9918572860 msgid 2 (infinite timeout)
wait4msg continue ld 0x7f9918572860 msgid 2 all 1
** ld 0x7f9918572860 Connections:
* host: ldi.s.uw.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 08:08:38 2017


** ld 0x7f9918572860 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f9918572860 request count 1 (abandoned 0)
** ld 0x7f9918572860 Response Queue:
   Empty
  ld 0x7f9918572860 response count 0
ldap_chkResponseList ld 0x7f9918572860 msgid 2 all 1
ldap_chkResponseList returns ld 0x7f9918572860 NULL
ldap_int_select
read1msg: ld 0x7f9918572860 msgid 2 all 1
ber_get_next
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 1 1
ldap_free_connection: actually freed
root@ldi-deb8-test:~/UW-LDI# 



root@ldi-deb8-test:~/UW-LDI# ldapwhoami -d1 -H 'ldaps://ldi.s.uw.edu' -w 
'passwerd' -D cn=unitAdmin,ou=auth,ou=csde,ou=ldi,ou=uw,ou=edu  
ldap_url_parse_ext(ldaps://ldi.s.uw.edu)
ldap_create
ldap_url_parse_ext(ldaps://ldi.s.uw.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldi.s.uw.edu:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 128.208.178.146:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 74 bytes to sd 4
ldap_result ld 0x7f80d936b820 msgid 1
wait4msg ld 0x7f80d936b820 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f80d936b820 msgid 1 all 1
** ld 0x7f80d936b820 Connections:
* host: ldi.s.uw.edu  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 08:35:31 2017


** ld 0x7f80d936b820 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f80d936b820 request count 1 (abandoned 0)
** ld 0x7f80d936b820 Response Queue:
   Empty
  ld 0x7f80d936b820 response count 0
ldap_chkResponseList ld 0x7f80d936b820 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f80d936b820 NULL
ldap_int_select
read1msg: ld 0x7f80d936b820 msgid 1 all 1

Bug#861838: ldap-utils: ldapsearch and ldapwhoami cannot connect to ldaps server

Bug#861838: ldap-utils: ldapsearch and ldapwhoami cannot connect to ldaps server

2 matches

Site Navigation

Mail list logo

Footer information