[Pkg-openldap-devel] Re: Bug#381788: slapd: TLS connections fail when running as non-root

Sun Aug 13 03:14:32 UTC 2006

This message got held by the pkg-openldap-devel list server for the past
few days due to the attachments being a little to large.  I zipped the
attachments and am resubmitting it.

Please CC any replies to 381788 at bugs.debian.org (as I don't want to clutter
the bug report with a duplicate message by sending this email to it).

> ... what does the output from "slapd -d -1" show in the following bits:
>
> (a) running as root, up until waiting for a connection
> (b) running as root, getting a problem connection
> (c) running as openldap user, up until waiting for a connection
> (d) running as openldap user, getting a problem connection

(a) and (b) are in the attached file slapd-root.txt
(c) and (d) are in the attached file slapd-openldap.txt
In both files I put some whitespace and a comment line to indicate where
slapd started waiting for a connection.

(a) and (b) output was generated and captured using (all on one line):
# /usr/sbin/slapd -h 'ldap://127.0.0.1/ ldaps://127.0.0.1/ ldap://[::1]/
ldaps://[::1]/ ldap://ldap.misumasu.dyndns.org/
ldaps://ldap.misumasu.dyndns.org/' -d 1 > /tmp/slapd-root.txt 2>&1

(c) and (d) output was generated and captured using (all on one line):
# /usr/sbin/slapd -h 'ldap://127.0.0.1/ ldaps://127.0.0.1/ ldap://[::1]/
ldaps://[::1]/ ldap://ldap.misumasu.dyndns.org/
ldaps://ldap.misumasu.dyndns.org/' -u openldap -g openldap -d 1 >
/tmp/slapd-openldap.txt 2>&1

Running "ldapsearch -x -ZZ" generated thousands of lines of output in the
root versioon, so to keep this tractable, I targeted the search command as
$ ldapsearch -x -ZZ '(sambaDomainName=MISUMASU)'
This command was run to trigger the (b) and (d) cases.

Running "diff -u slapd-root.txt slapd-openldap.txt" is interesting.
The interesting chunks before they completely diverge (root returning a
result vs. openldap returning an error) are:

--- slapd-root.txt      2006-08-09 18:52:49.000000000 -0600
+++ slapd-openldap.txt  2006-08-09 18:53:00.000000000 -0600
...
 >>> dnNormalize: <cn=Subschema>
 <<< dnNormalize: <cn=subschema>
+ldap_create
+ldap_url_parse_ext(ldap://ldap.misumasu.dyndns.org/)
+ldap_create
+ldap_url_parse_ext(ldap://ldap.misumasu.dyndns.org/)
+ldap_extended_operation_s
+ldap_extended_operation
+ldap_send_initial_request
+ldap_new_connection 1 1 0
+ldap_int_open_connection
+ldap_connect_to_host: TCP ldap.misumasu.dyndns.org:389
+ldap_new_socket: 12
+ldap_prepare_socket: 12
+ldap_connect_to_host: Trying 172.30.1.1:389
+ldap_connect_timeout: fd: 12 tm: 30 async: 0
+ldap_ndelay_on: 12
+ldap_is_sock_ready: 12
+ldap_is_socket_ready: error on socket 12: errno: 111 (Connection refused)
+ldap_close_socket: 12
+ldap_unbind
 matching_rule_use_init
...
 TLS trace: SSL_accept:SSLv3 read client hello A
 TLS trace: SSL_accept:SSLv3 write server hello A
 TLS trace: SSL_accept:SSLv3 write certificate A
-TLS trace: SSL_accept:SSLv3 write server done A
+TLS trace: SSL_accept:SSLv3 write certificate request A
 TLS trace: SSL_accept:SSLv3 flush data
 TLS trace: SSL_accept:error in SSLv3 read client certificate A
 TLS trace: SSL_accept:error in SSLv3 read client certificate A
 connection_get(15): got connid=0
 connection_read(15): checking for input on id=0

So right before SSL fails, the root version does a "write server done"
while the openldap version does a "write certificate request".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: slapd-root.txt.gz
Type: application/gzip
Size: 4253 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060812/bee55267/slapd-root.txt.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: slapd-openldap.txt.gz
Type: application/gzip
Size: 3920 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060812/bee55267/slapd-openldap.txt.bin