Bug#381788: [Pkg-openldap-devel] Bug#381788: slapd: TLS connections
fail when running as non-root
Matthijs Mohlmann
matthijs at cacholong.nl
Mon Aug 7 20:43:24 UTC 2006
On Sun, 06 Aug 2006 17:10:24 -0600
Michael Berg <michaeljberg at gmail.com> wrote:
> Package: slapd
> Version: 2.3.25-1
> Severity: normal
>
> I've had this problem in both slapd 2.3.24-2 and 2.3.25-1.
> When slapd is running as root, everything works perfectly. But when running
> as a non-root user (like the new default "openldap"), TLS connections fail.
> This effects both port 389+starttls and port 636.
>
> When slapd is running as root, the command
> "openssl s_client -connect 127.0.0.1:636 -CAfile /etc/ssl/certs/mydomain.dyndns.org_CA.pem"
> successfully establishes a TLSv1 connection to the SSL/TLS port.
>
> When slapd is running as the "openldap" user and group,
> the same command produces the following:
> ==========
> CONNECTED(00000003)
> depth=1 /C=US/O=mydomain/OU=Certificate Authority/L=MyCity/ST=MyState/CN=mydomain.dyndns.org
> verify return:1
> depth=0 /C=US/O=mydomain/OU=LDAP Server/L=MyCity/ST=MyState/CN=ldap.mydomain.dyndns.org
> verify return:1
> 1878:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
> 1878:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
> ==========
>
>
> ldapsearch and most other packages on my system are configured to use port 389+starttls
> ==========
> $ ldapsearch -x -ZZ
>
> ldap_start_tls: Connect error (-11)
> additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> ==========
> (This same command succeeds when slapd is running as root)
>
>
> Just to make sure slapd is working:
> ==========
> $ ldapsearch -x
>
> # search result
> search: 2
> result: 13 Confidentiality required
> text: confidentiality required
>
> # numResponses: 1
> ==========
> (which shows that slapd is running, and is requiring confidentiality as configured)
>
>
> And if I disable the requirement for confidentiality in slapd.conf,
> "ldapsearch -x" successfully returns everything that is should from the LDAP database.
>
>
> I've made sure that everything listed in slapd's README.Debian.gz for
> "Running slapd under a different uid/gid" holds true.
> - openldap user and group are present in the system passwd/group files
> $ getent passwd openldap
> openldap:x:100:121:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
> $getent group openldap
> openldap:x:121:
> - SLAPD_USER and SLAPD_GROUP are both set to "openldap" in /etc/default/slapd.
> - /var/lib/ldap and all files in it have user:group of openldap:openldap.
> - Permissions and user:group on slapd.conf have been set to
> -rw-r----- root:openldap
> - Permissions and user:group on /var/run/slapd are
> drwxr-xr-x openldap:openldap
>
> The SSL/TLS private cert is in a location readable by the openldap user and group.
> The SSL/TLS public cert is in a location readable by everyone on the system.
>
>
> The TLS-relevant portions of my slapd.conf are
> ==========
> # TLS configuration
> TLSCipherSuite HIGH:!ADH
> TLSCACertificateFile /etc/ssl/certs/mydomain.dyndns.org_CA.pem
> TLSCertificateFile /etc/ssl/certs/ldap.mydomain.dyndns.org.pem
> TLSCertificateKeyFile /etc/ldap/private/ldap.mydomain.dyndns.org.pem
> TLSCRLCheck none
> TLSVerifyClient never
> # Require at least 128 bit encryption for all operations
> security ssf=128
> ==========
>
>
> And just for completeness, here are the contents of my ldap.conf file that
> ldap clients use
> ==========
> BASE dc=mydomain,dc=dyndns,dc=org
> URI ldap://ldap.mydomain.dyndns.org
> TLS_CIPHER_SUITE HIGH:!ADH
> TLS_CACERT /etc/ssl/certs/mydomain.dyndns.org_CA.pem
> TLS_REQCERT demand
> TLS_CRLCHECK none
> ==========
>
This is the complete content of ldap.conf on the clients ?
>
> I even tried purging slapd, reinstalling it, and re-populating it from scratch
> (I didn't just reload a DB backup).
>
> The fresh install worked fine as non-root until a reboot - at which point the
> problem described above returned and TLS connections fail.
>
That's strange.
> I've tried running slapd with various debug levels and with strace - looking for
> problems opening any files or other errors, but if it's in there, I'm not seeing it.
>
>
> Several of the search results for "error:14094410:SSL" mention client certificates,
> but I've specified "TLSVerifyClient never" in slapd.conf and it still doesn't explain
> why this behavior only shows up when running as non-root.
>
> If there is any specific debug output (slapd -d, strace, ltrace, gdb, etc) you need
> to help diagnose the cause, just let me know and I'd by happy to provide it.
>
I've just tried with the same TLS settings and I can't reproduce the
problem somehow. User is openldap group is openldap all permissions are fine:
root at monster # ldapsearch -x-ZZ
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# numResponses: 3
# numEntries: 2
root at monster # ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required
# numResponses: 1
--
Can you please send the output of: ldapsearch -x -ZZ -d 7
Regards,
Matthijs Mohlmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060807/1008a408/signature-0001.pgp
More information about the Pkg-openldap-devel
mailing list