[Pkg-freeipa-devel] Bug#1073834: 389-ds-base: Replication based on sslclientauth fails to create new TLS context

Andreas Steffen andreas.steffen at strongsec.net
Wed Jun 19 14:25:41 BST 2024 

Package: 389-ds-base
Version: 2.3.1+dfsg1-1
Severity: important
Tags: upstream

Dear Maintainer,

setting up a replication agreement between two LDAP servers via TLS
port 636 based on server certificates and password-based SIMPLE
authentication works without problems. The replication setup was
configured using the cockpit-389-ds web interface.

When switching to SSSLCLIENTAUTH the TLS connection fails with the
following entries in /var/log/dirsrv/slapd-localhost/errors:

- ERR - setup_ol_tls_conn - failed: unable to create new TLS context - -1
- ERR - slapi_ldap_bind - Error: could not configure the server for cert auth - error -1 - make sure the server is correctly configured for SSL/TLS
- ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=ldap2-to-ldap1-agreement" (ldap1:636) - Replication bind with EXTERNAL auth failed: LDAP error 0 (Success) ()

The source code of the setup_ol_tls_conn(LDAP *ld, int clientauth) function in

https://github.com/389ds/389-ds-base/blob/389-ds-base-2.3.1/ldap/servers/slapd/ldaputil.c#L503

shows a failure to create the TLS client context in line 589:

     /* have to do this last - this creates the new TLS handle and sets/copies
        all of the parameters set above into that TLS handle context - note
        that optval is zero, meaning create a context for a client */
     optval = 0;
     if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
         slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
                       "failed: unable to create new TLS context - %d\n", rc);
     }

Since on Debian platform libldap uses libgnutls for the certificate-based
client authentication instead of NSS, the extraction of the cacerts, the
private key and the server certificate from the NSS store are required
which seems to be successful:

ls -l /tmp/systemd-private-e57d3846c23c4579b3beaa4d7a0f9e1b-dirsrv\@localhost.service-QfnrpZ/tmp/slapd-localhost/
-rw-r----- 1 dirsrv dirsrv 4837 Jun 18 14:06 Self-Signed-CA.pem
-rw-r----- 1 dirsrv dirsrv  318 Jun 18 14:06 Server-Cert-Key.pem
-rw-r----- 1 dirsrv dirsrv 2061 Jun 18 14:06 Server-Cert.pem

I did quite a profound search of the Internet but I didn't find
any recent problems with ssslclientauth based authentication
(probably because very few people are using it).

-- System Information:
Debian Release: 12.5
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-21-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages 389-ds-base depends on:
ii  389-ds-base-libs             2.3.1+dfsg1-1
ii  acl                          2.3.1-3
ii  adduser                      3.134
ii  debconf [debconf-2.0]        1.5.82
ii  ldap-utils                   2.5.13+dfsg-5
ii  libc6                        2.36-9+deb12u7
ii  libcrypt1                    1:4.4.33-2
ii  libdb5.3                     5.3.28+dfsg2-1
ii  libgcc-s1                    12.2.0-14
ii  libicu72                     72.1-3
ii  libldap-2.5-0                2.5.13+dfsg-5
ii  liblmdb0                     0.9.24-1
ii  libmozilla-ldap-perl         1.5.3-3+b5
ii  libnetaddr-ip-perl           4.079+dfsg-2+b1
ii  libnspr4                     2:4.35-1
ii  libnss3                      2:3.87.1-1
ii  libpam0g                     1.5.2-6+deb12u1
ii  libsasl2-2                   2.1.28+dfsg-10
ii  libsasl2-modules-gssapi-mit  2.1.28+dfsg-10
ii  libsnmp40                    5.9.3+dfsg-2
ii  libsocket-getaddrinfo-perl   0.22-5
ii  libssl3                      3.0.11-1~deb12u2
ii  libsystemd0                  252.22-1~deb12u1
ii  perl                         5.36.0-7+deb12u1
ii  python3                      3.11.2-1+b1
ii  python3-lib389               2.3.1+dfsg1-1
ii  python3-selinux              3.4-1+b6
ii  python3-semanage             3.4-1+b5
ii  python3-sepolicy             3.4-1
ii  systemd                      252.22-1~deb12u1

389-ds-base recommends no packages.

389-ds-base suggests no packages.

-- Configuration Files:
/etc/dirsrv/config/certmap.conf

certmap default         default
default:DNComps         dc
default:FilterComps     cn

certmap example         CN=DBMAS Issuing CA 2024-01,OU=DBMAS,O=DB InfraGO AG,C=DE
example:DNComps
example:FilterComps     cn

-- no debconf information

More information about the Pkg-freeipa-devel mailing list