[Bug 217159] Re: slapd + gnutls fails
FYI I just hit another issue where ldap wouldn't start with errors like this: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy.' This turned out to be due to a PKCS#8 key, using openssl rsa -in old.key -text (and then cutting and pasting the PRIVATE RSA KEY part to create a PKCS#1 key) fixed the issue. Hopefully this will save someone else a few hours of head scratching/banging/punching the wall. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/217159 Title: slapd + gnutls fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/217159/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
this bug should be closed. I had the same problem today and I simply commented out the TLS suite portion. That allowed things to work just fine. (see comment # 19 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/217159/comments/19 ) The documentation should be updated not to say to use TLSCipherSuite HIGH:MEDIUM:+SSLv2 -- especially the wiki. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
I _think_ that the problem was that the LDAP server certificate was just a regular SSL certificate and it needed recreating as a server certificate (build-key-server from easy-rsa tools): nsCertType = server extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Seems that the last commenter was able to fix his problem. I'm going to mark this bug invalid. Please open a new bug if you encounter a similar problem. ** Changed in: openldap (Ubuntu) Status: Incomplete = Invalid -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
FYI I've compiled up 2.4.16 (took 2.4.15 from debian and updated source), added a patch from http://209.85.229.132/search?q=cache:idWE3JHeQOUJ:www.openldap.org/its/index.cgi/Software%2520Bugs%3Fid%3D6053%3Bpage%3D1+main:+TLS+init+def+ctx+failed:+-50cd=1hl=enct=clnkgl=uklr=lang_en (Subject: gnutls doen't initialize gnutls_x509_privkey_t structure, leading to TLS init def ctx failed: -50) and it still does the same thing. tcpdump shows SSL client hello being sent, then the ldap server just closes the connection on it :-( (slapd logs saying Could not negotiate a supported cipher suite) -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
http://www.openldap.org/its/index.cgi/Software Bugs?id=6053;expression=gnutls is a better link to that patch compiled with openssl rather than gnutls and it's happier.. Aha!!! Found it :-) openssl client then complained that the ceritficate was not suitable for the purpose. In short, I had put a client cert on, not a server set.I use easy-rsa2 from openvpn package to build certs and I had ran it with ./build-key not ./build-key-server.Once the ldap keypair was rebuilt with -extensions server everthing was happy (even on the older version of software). Naturally it would be nice if openldap checked this and produced a helpful error :-) many thanks for your help and prompt replies. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
FWIW I've got the same on a debian box I've just upgraded from etch to lenny: slapd 2.4.11-1 libldap-2.4-2 2.4.11-1 libgnutls26 2.4.2-6+lenny1 certs are not blacklisted (checked ca and server), gnutls-serv works fine. tracign with openssl shows a very quick reply: openssl s_client -connect localhost:636 -debug CONNECTED(0003) write to 0x68d7c0 [0x68e390] (118 bytes = 118 (0x76)) - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .tK... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @... 0050 - 00 00 03 02 00 80 88 ce-a0 bb 73 ed f1 ba 4a 72 ..s...Jr 0060 - de c5 25 dc 88 8d b5 8a-d7 15 10 17 68 46 a7 23 ..%.hF.# 0070 - 94 41 2e 07 92 aa .A read from 0x68d7c0 [0x6938f0] (7 bytes = 0 (0x0)) 8434:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: gnutls-cli -l shows a huge list too. permissions all seem fine (and readable) -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 217159] Re: slapd + gnutls fails
Could you please include the information requested at https://wiki.ubuntu.com/DebuggingOpenldap#ssl-client-failure? Thank you, -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
sure: /etc/ldap/ldap.conf: BASE dc=opsera,dc=com URI ldap://foo.opsera.com TLS_CACERT /etc/ssl/certs/ca.opsera.com.crt TLS_REQCERT demand TLS_CACERT file: -BEGIN CERTIFICATE- MIIEUTCCAzmgAwIBAgIJAI+dj7GhDEy1MA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNV BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB1JlYWRpbmcxDzAN BgNVBAoTBk9wc2VyYTESMBAGA1UEAxMJT3BzZXJhIENBMR4wHAYJKoZIhvcNAQkB Fg9yb290QG9wc2VyYS5jb20wHhcNMDgwNTE0MTEyNDAxWhcNMTgwNTEyMTEyNDAx WjB4MQswCQYDVQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdS ZWFkaW5nMQ8wDQYDVQQKEwZPcHNlcmExEjAQBgNVBAMTCU9wc2VyYSBDQTEeMBwG CSqGSIb3DQEJARYPcm9vdEBvcHNlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA5NBn4qZQmpNSfAZGicY11YoRbG2ZW+IMNd6P0t3uqbqlS/xd toLXiLQOKcm0k1FdBXgeredDAd7Lm0KOvXOu85oDcSB4Y+8Xny0ug/oyw5HhrvaT ACP4DdFkVK0rOncpgqjUoPPlHpAtRE+vruxgYqG4WHRZQv2aIfDCLP1vorLNLl68 JoPsTfP8O4ISOHVY5KlmngOjBeU0JuFP7luFoPshXbxpQ8VL2frTNLV3SKpU7zMe QGkUh+86HSCKxk3ahq5grZIYLm+RlOXORTisT8xK6VWTDO1O0DF1HnVN/pkx6AwN HyC4sveyYzm4f+nwVTFd/vKXVRHWJoKLltSUkwIDAQABo4HdMIHaMB0GA1UdDgQW BBQ7ztgRvxawSnughvTiN0BuzzrOMDCBqgYDVR0jBIGiMIGfgBQ7ztgRvxawSnug hvTiN0BuzzrOMKF8pHoweDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGly ZTEQMA4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChMGT3BzZXJhMRIwEAYDVQQDEwlP cHNlcmEgQ0ExHjAcBgkqhkiG9w0BCQEWD3Jvb3RAb3BzZXJhLmNvbYIJAI+dj7Gh DEy1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKtJww1eJjGtr3c4 xrvRfNlS5FJphmh6xqIyTJf7cglcOziob/FtPD7HJ3FLq2dj1uwRlbreTzTmpajl hr4h/2gxjLTjrMSriLbHjuBhuotHa8/NsuFm3USWZyca0zASOQV4+yGu4AydUmo5 vcOymiVZ4JWprPC4bmALti8ykqejDjhydcl8Vd9nLKz8KuU1EwBMWHtBjSfkuAao IxJZHNTpi+iBXRFguola0aTX3K0g1+IABaYKb1MUerszmvXdqaJ0KnszT79d9R2u XavJFc33egXQUO7K/Vm0tg2+phP7QbRwix95pNP8jkalWbCuXMDbMqLNBN28+u3V w4gO30E= -END CERTIFICATE- gnutls-cli output: Connecting to '127.0.1.1:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. package versions: gnutls-bin 2.4.2-6+lenny1 gnutls26 install ok installed ldap-utils 2.4.11-1 openldap install ok installed libgnutls26 2.4.2-6+lenny1 gnutls26 install ok installed libldap-2.4-2 2.4.11-1 openldap install ok installed libnss-ldap 261-2.1 install ok installed libpam-ldap 184-4.2 install ok installed slapd 2.4.11-1 openldap install ok installed sudo-ldap 1.6.9p17-2.1 sudo install ok installed ldapsearch: ldap_url_parse_ext(ldaps://foo.opsera.com/) ldap_create ldap_url_parse_ext(ldaps://foo.opsera.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP foo.opsera.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.1.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 tls_write: want=93, written=93 : 16 03 02 00 58 01 00 00 54 03 02 49 ef 6d 28 ac X...T..I.m(. 0010: b6 ff 62 fd 12 78 93 a8 58 cb f7 39 a6 b7 61 59 ..b..x..X..9..aY 0020: 1e 8f f4 5a 5d 4c a6 83 b5 73 d0 00 00 24 00 33 ...Z]L...s...$.3 0030: 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 .E.9.2.D.8.. 0040: 00 13 00 66 00 2f 00 41 00 35 00 84 00 0a 00 05 ...f./.A.5.. 0050: 00 04 01 00 00 07 00 09 00 03 02 00 01. tls_read: want=5, got=0 TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Unfortunately I've decommissioned the machine. However I do know that I didn't manually specify any TLSCipherSuite directives in the slapd.conf. The hardy slapd.conf man (5) file still references the TLSCipherSuite format accepted by OpenSSL (e.g.: TLSCipherSuite HIGH:MEDIUM:+SSLv2), which caused slapd to fail in start as GnuTLS doesn't support this format. As such I removed the directive (allowing all ciphers supported by GnuTLS) which would allow slapd to start. Similarly my ldap.conf didn't specify any cipher suite, and the gnutls- cli testing above didn't either. If I get time I will attempt to rebuild and retest from where I left off. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
@elvis: According to the slapd log: TLS: can't accept: Could not negotiate a supported cipher suite.. Could you post your slapd.conf file? Becareful to not include any sensitive information such as passwords. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 217159] Re: slapd + gnutls fails
On Thu, Feb 26, 2009 at 04:48:11AM -, elvis wrote: I've created x509 certificates and signed them against our company CA. These work perfectly for Apache on Hardy (adding the CA cert to by browser shows connection to Apache as working and verified). Experiments with gnutls-cli show the following: 3) Connection to slapd on ldaps:// port 636 shows: Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. What is the exact command line you've used (gnutls-cli)? Using ldapsearch on plain-text ldap:/// port 389 works fine. ldapsearch on ldaps:/// returns errors. What is the error message? -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
As above: client: ldapsearch -x -H ldaps://localhost:636 -D *** -w *** server: slap_listener(ldaps:///) connection_get(13): got connid=1 connection_read(13): checking for input on id=1 connection_read(13): TLS accept failure error=-1 id=1, closing connection_closing: readying conn=1 sd=13 for close connection_close: conn=1 sd=13 That was running slapd with -d3. Do you require more detailed than that? -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Oh, and the gnutls-cli stuff: I opened the listening server with: gnutls-serv --x509cafile my_ca.cer --x509keyfile myclient.pem --x509certfile myclient.cer It returns: Set static Diffie Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). Echo Server ready. Listening to port '5556'. I connected to the gnutls-serv with: gnutls-cli --x509cafile my_ca.cer --x509keyfile myclient.pem --x509certfile myclient.cer -p 5556 servername.mydomain.tld Similarly, I connected to Apache with gnutls-cli --x509cafile my_ca.cer --x509keyfile myclient.pem --x509certfile myclient.cer -p 443 servername.mydomain.tld And slapd with: gnutls-cli --x509cafile my_ca.cer --x509keyfile myclient.pem --x509certfile myclient.cer -p 636 servername.mydomain.tld Ports are listening and verified with netstat -plutn. Tests were run on both localhost, and from another machine with copies of the certs. No firewalls are in place, and iptables is set to ACCEPT on all policies with no other rules in place. As above, I get successful returns from Apache-SSL and gnutls-serv. I get a failure from slapd. If you need more detail or other tests, please let me know and I'll run them. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
This is run with: /usr/sbin/slapd -h ldaps:/// -g openldap -u openldap -f /etc/ldap/slapd.conf -d15 Connecting from either ldapsearch -x -H ldaps://... or gnutls-cli, slapd returns: slap_listener(ldaps:///) daemon: listen=8, new connection on 13 daemon: added 13r (active) listener=(nil) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 tls_read: want=5, got=5 : 16 03 02 00 4d M tls_read: want=77, got=77 : 01 00 00 49 03 02 49 a7 3e 1c 36 94 5c 6e cb ce ...I..I..6.\n.. 0010: 5a ee 9c 8e af cd aa dd a2 9a 53 48 db 0a bd 00 Z.SH 0020: 32 9e f4 e2 1a c9 00 00 18 00 39 00 33 00 16 00 2.9.3... 0030: 38 00 32 00 13 00 66 00 35 00 2f 00 0a 00 05 00 8.2...f.5./. 0040: 04 02 01 00 00 07 00 09 00 03 02 00 01. TLS: can't accept: Could not negotiate a supported cipher suite.. connection_read(13): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=13 for close daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_close: conn=0 sd=13 daemon: removing 13 -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
I am also having problems with Hardy slapd 2.4.9-0ubuntu0.8.04.2 and TLS. It seems OpenLDAP on Hardy is now compiled against GnuTLS, and not OpenSSL as it was in old versions. I've created x509 certificates and signed them against our company CA. These work perfectly for Apache on Hardy (adding the CA cert to by browser shows connection to Apache as working and verified). Experiments with gnutls-cli show the following: 1) Connecting to Apache on port 443 shows TLS success, connected via TLS 1.0: Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches '***'. # valid since: Fri Feb 6 14:36:14 EST 2009 # expires at: Sun Feb 6 14:36:14 EST 2011 # fingerprint: 7E:C2:AF:1B:75:7A:CB:0F:17:A6:10:8C:8B:1C:52:2B # Subject's DN: *** # Issuer's DN: *** - Certificate[1] info: # valid since: Tue Dec 5 13:42:33 EST 2006 # expires at: Mon Dec 5 13:49:02 EST 2011 # fingerprint: D5:63:08:F0:9C:E2:BB:47:35:EF:06:15:EF:54:DA:D8 # Subject's DN: *** # Issuer's DN: *** - Peer's certificate is trusted - Version: TLS 1.0 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed 2) Connection to gnutls-serv on port 5556 shows TLS success, connected via TLS 1.1 Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:5556'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate matches '***'. # valid since: Fri Feb 6 14:36:14 EST 2009 # expires at: Sun Feb 6 14:36:14 EST 2011 # fingerprint: 7E:C2:AF:1B:75:7A:CB:0F:17:A6:10:8C:8B:1C:52:2B # Subject's DN: *** # Issuer's DN: *** - Peer's certificate is trusted - Version: TLS 1.1 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: 3) Connection to slapd on ldaps:// port 636 shows: Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving '***'... Connecting to '10.1.2.100:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. Using ldapsearch on plain-text ldap:/// port 389 works fine. ldapsearch on ldaps:/// returns errors. Running slapd in debug mode shows various errors, including similar TLS packet of unexpected length errors: client: ldapsearch -x -H ldaps://localhost:636 -D *** -w *** server: slap_listener(ldaps:///) connection_get(13): got connid=1 connection_read(13): checking for input on id=1 connection_read(13): TLS accept failure error=-1 id=1, closing connection_closing: readying conn=1 sd=13 for close connection_close: conn=1 sd=13 -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Ronald van Engelen wrote on 2008-09-08: I'm having the same problems: I didn't catch Brian May's statement: This bug report started of by saying that the server having problems with the client certificate. My comment is about clients (nss) not able to use ldaps; I will try to solve this elsewhere. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Could you try using the debug option when running ldapsearch on the client ? ldapsearch -x -d 1 ** Changed in: openldap (Ubuntu) Sourcepackagename: openldap2.3 = openldap Status: New = Incomplete -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
Hi, Can you try the version of openldap in my ppa archive? http://launchpad.net/~zulcss/+archive Thanks chuck -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
There seems to be some confusion here. TLS_REQCERT on the client tells the client if it should check the server certificate or not. This is different whether or not the server checks the client certificate or not. I am having problems with the client checking the server certificate (#231321), where changing TLS_REQCERT will help (but this presumably will decrease the security because the server certificate is not checked). This bug report started of by saying that the server having problems with the client certificate. Brian May -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
... but TLS_REQCERT never in the client confs helps, but makes me wonder: $ man ldap.conf TLS_REQCERT level never The client will not request or check any server certificate. This probably should not be the case. Previously allow has worked, which is still a bit dubious. allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. Is there any way to make it work with try for example? This is not a major thing and thanks for your help, in pointing out the obvious problem. :) Shouldn't trust and old config, I guess. :) For the sake of documentation here are the client confs: $ cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. URI ldaps://127.0.0.1/ BASE dc=nnn,dc=nnn TLS_REQCERT never $ cat /etc/ldap.conf base dc=nnn,dc=nnn uri ldaps://127.0.0.1/ timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl on pam_password exop bind_policy soft TLS_CACERTFILE /etc/pki/tls/certs/ca.nnn.nnn.crt TLS_REQCERT never Any comments on those? I've also dabbled with the nss_initgroups_ignoreusers parameter, but don't have any conclusive results on that. -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 217159] Re: slapd + gnutls fails
$ cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. URI ldaps://127.0.0.1/ BASE dc=nnn,dc=nnn TLS_REQCERT never $ cat /etc/ldap.conf base dc=nnn,dc=nnn uri ldaps://127.0.0.1/ timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl on pam_password exop bind_policy soft TLS_CACERTFILE /etc/pki/tls/certs/ca.nnn.nnn.crt TLS_REQCERT never Any comments on those? I've also dabbled with the nss_initgroups_ignoreusers parameter, but don't have any conclusive results on that. I copied your config into my /etc/ldap/ldap.conf (changing the base parameter), and using TLS_REQCERT allow worked fine for me. I use never because my LDAP server is using a self-signed cert, and there used to be issues without setting that option. The server I'm testing with was upgraded from Dapper to Hardy. I was just wondering if you are using libnss-ldap? Could it possibly be a setting in /etc/ldap.conf? -- Party On, Adam ** Attachment added: unnamed http://launchpadlibrarian.net/13464423/unnamed -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 217159] Re: slapd + gnutls fails
cannot choose slapd for some reason for this bug report. :/ -- slapd + gnutls fails https://bugs.launchpad.net/bugs/217159 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap2.3 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
