[Bug 420277] Re: ldap tls refusing to initialize
Marking this bug as invalid - seems that most of the issues reported here are configuration issues: file permissions, apparmor profile, certifcates chain. ** Changed in: openldap (Ubuntu) Status: Confirmed => Invalid -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
** Changed in: openldap (Ubuntu) Importance: Undecided => Low -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
For the time being, I posted an update for the network-auth.xml in ubuntu-docs. https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/437483 -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
I was using the how-to referenced by the OP. I was also using this one on certificates. https://help.ubuntu.com/9.04/serverguide/C/certificates-and- security.html What got me messed up was a small, but important point that got lost between the two how-tos. The LDAP how-to takes advantage of the group ssl-cert which has read privileges on /etc/ssl/private. They had the nifty idea of putting the openldap account into the ssc-cert group. The certificate how-to says to put the key into the /etc/ssl/private. This is fine, but while the /etc/ssl/private folder was readable by openldap, the new copied keyfile was not. Unfortunately for me (and probably others) the only error I got was the one the OP was also getting. A trick I discovered can help: become root: sudo -i become openldap:su openldap check priviledges: cat /etc/ssl/private/nameofmyserver.key It helped me track down the answer. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Thanks Dave. I agree about the docs on this. Can you comment on which howto you were using? -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Well, after much pain and suffering for me it turned out to be a simple permissions problem. I believe the how-to should be changed to ensure this doesn't happen to anyone else. Problem was that my private keyfile did not provide read permissions to the group. sudo chmod g+r /etc/ssl/private/myserver.key and viola...everything works. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Yes, continues to be annoying. One thing to do is to carefully verify the certificate chain you have configured for LDAP use. If the certificate is self-signed, then don't configure the olcCACertificateFile item. Otherwise, make sure the CA signing the certificate has its certificate in this property. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
In the meantime, does anybody have a work-around for this? I've hit this problem on a vanilla Ubuntu 9.04 server install and can't get past it! -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Playing around with the source today and debugging slapd with gdb. It appears that much of the pain here is in tls_g.c, the wrappers for gnutls. The function tlsg_ctx_init in particular. This is where, at least for my configuration, most of the failures are occurring. And the code in this function often makes a call onto a gnutls function, as in: if (lo->ldo_tls_cacertfile != NULL) { rc = gnutls_certificate_set_x509_trust_file( ctx->cred, lt->lt_cacertfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) return -1; } and doesn't really do anything with the return code. There are 3 places in tlsg_ctx_init where this occurs with no logging of what the actual error code was. It just returns -1, rather than a more specific error code. Upshot is that we simply get a -1 error code in the log with no further advice on the specific problem. The code in tls_o.c for this function and others seems better developed and reports more useful error codes. With a self-signed certificate, and setting only the olcTLSCertificateFile olcTLSCertificateKeyFile, the server works and does answer properly when trying with a command on another machine like: openssl s_client -connect :636 -showcerts If oldTLSCACertificateFile is set to the self-signed certificate, slapd fails to initialize TLS. I suspect most of the problems being reported are due to configuration issues, like those reported by Christian R. Without better error output, it is very difficult to figure these out. Now I'd be delighted to try and add more debugging and produce a patch; however, perhaps I can get a bit of help with the packaging? I've been able to get the source with 'apt-get source libldap-2.4-2', and go in change the debian/configure.options, followed by a 'debchange -i' and 'debuild -us -uc -i -I', then a 'sudo debi', and get a version with debugging symbols installed. What has been eluding me (after reading the HOWTO and several other tutorials), is how to get changes in the source to build into the package properly when installed and how to get other Debug statements to work (though perhaps that is just because the packaging isn't working right, since the machine language statements in the debugger don't agree with the source listed in gdb, ouch). With a -nc option on debuild it builds, but likely isn't actually including the changes. Without the -nc, it complains about the upstream patches not being able to be applied. Hopefully someone can point me to the correct descriptions or give me some help on this one. Of course, a fixed up package with better error output from one of the openldap gurus would be most welcome! thanks, Peter -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Same here. I have a vanilla Januty install (Atom-330 with 64-bit Januty, if this makes any difference) and following the above instructions that Peter referenced fails for me with the same error and my ldap.conf also doesn't have this TLS_RANDFILE set. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Interesting. My version also was an upgrade from hardy->intrepid->jaunty. My /etc/ldap/ldap.conf doesn't contain a line about TLS_RANDFILE though, and my install doesn't report the TLS: gcry_control error, rather, there is nothing other than the "main: TLS init def ctx failed: -1" complaint. I suspect these may be related problems, at least in the sense of hard to tell what is going wrong during initialization. I will likely later this weekend try to clear aside configuration and try a local build of openldap with debugging for gdb turned on and built against gnutls. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 420277] Re: ldap tls refusing to initialize
Ok, I finally got it work. I had purged slapd completely and removed all of its /var/lib/ldap/* stuff as well as the slapd.d directory under /etc/ldap. After that I tried to install slapd. Same error! So I really wondered how a fresh install could present me with the same error message, although there was absolutely no TLS support, yet. And then I got it: I had a look inside /etc/ldap/ldap.conf, which was the only file left from the previous installation: TLS_RANDFILE/dev/urandom was the problem. I simply removed this tag. Then I put back my saved backup from intrepid (including overlays and TLS support), started slapd and now everything is working as expected. So my guess is that this option is broken under jaunty. It is unnecessary, because the man page tells that /dev[u]random is looked automatically. But this got broken from intrepid to jaunty. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Interesting that there is the TLS complaint through "TLS: gcry_control ..." Nothing like that in mine. I was looking through the source a bit last night on this. It seems that the TLS init call is returning a -1 error code under some circumstances without really throwing another error message. Despite the problems with gnutls, it seems the ubuntu folks are committed to staying with it for licensing reasons. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
I do confirm this. And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is broken by design! Do not wonder for strange behavior, if you do not trust the core developers. http://www.openldap.org/lists/openldap-devel/200802/msg00072.html I have asked Howard a couple of days ago and he still stays at his opinion. I think Debian/Ubuntu should not make changes from openssl to gnutls! For this bug: ... 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed main: TLS init failed: 0 slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. And by the way: My certs are under /ca/ldapmaster.roessner-net.com My profile for apparmor was working under intrepid. Upgrading from intrepid to jaunty does not work. # Last Modified: Tue Sep 2 13:08:01 2008 # Author: Jamie Strandboge #include /usr/sbin/slapd flags=(complain) { #include #include #include capability dac_override, capability net_bind_service, capability setgid, capability setuid, /ca/cacert_org.crt r, /ca/ldapmaster.roessner-net.de/newcert.pem r, /ca/ldapmaster.roessner-net.de/newkey.pem r, /etc/gai.conf r, /etc/hosts.allow r, /etc/hosts.deny r, /etc/ldap/ldap.conf r, /etc/ldap/schema/* r, /etc/ldap/slapd.conf r, /etc/sasldb2 r, /etc/ssl/private/ r, /etc/ssl/private/* r, /usr/lib/ldap/ r, /usr/lib/ldap/* mr, /usr/sbin/slapd mr, /var/lib/ldap/ r, /var/lib/ldap/* rw, /var/lib/ldap-ov/accesslog r, /var/lib/ldap-ov/accesslog/* rw, /var/lib/ldap/alock kw, /var/lib/ldap-ov/accesslog/alock kw, /var/run/slapd/* w, } No dmesg output that points to problems. ** Changed in: openldap (Ubuntu) Status: New => Confirmed -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Thanks Mr. Gug. I checked this, placing the apparmor profile into complain mode with sudo aa-complain /usr/sbin/slapd. The same problem occurs with an attempt to start slapd, but there are no entries in /var/log/kern.log associated and no audit entries. I also moved the certificates and keys generated using gnutls into /etc/ssl/certs and /etc/ssl/private. Still the same problem with no audit entries in the /var/log/kern.log. I'm not quite certain what is meant by standard locations, since https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html says to put then in /etc/ssl/certs and /etc/ssl/private under the TLS and SSL sections, though I am happy to try moving them anywhere that may help. Is there some setting I should be using to get more information out of gnutls about what may be going on? thanks, Peter -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420277] Re: ldap tls refusing to initialize
** Changed in: openldap (Ubuntu) Status: Invalid => New -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs