[Pkg-openldap-devel] Bug#807922: slapd: Unable to use olcTLSVerifyClient

Obspm albert.shih at obspm.fr
Mon Dec 14 14:05:22 UTC 2015 

Package: slapd
Version: 2.4.40+dfsg-1+deb8u1
Severity: important


Hi everyone.

>From a fresh install (the server is a virtual machine with VirtualBox), after basic configuration of slapd, without any configuration other than those make by apt-get, with no special data I can add this piece of ldif

	dn: cn=config
	changeType: modify
 	add: olcTLSVerifyClient
	olcTLSVerifyClient: never
	-

I always got a 

root at debian:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f toto.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

and the debug file containt (with LogLevel:1)

Dec 14 15:04:12 debian slapd[3597]: slap_listener_activate(11):
Dec 14 15:04:12 debian slapd[3597]: >>> slap_listener(ldapi:///)
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x60, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=0 do_bind
Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <>
Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
Dec 14 15:04:12 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
Dec 14 15:04:12 debian slapd[3597]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
Dec 14 15:04:12 debian slapd[3597]: <==slap_sasl2dn: Converted SASL name to <nothing>
Dec 14 15:04:12 debian slapd[3597]: SASL Authorize [conn=1031]:  proxy authorization allowed authzDN=""
Dec 14 15:04:12 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
Dec 14 15:04:12 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=1 tag=97 err=0
Dec 14 15:04:12 debian slapd[3597]: <== slap_sasl_bind: rc=0
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x66, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=1 do_modify
Dec 14 15:04:12 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
Dec 14 15:04:12 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, <cn=config>
Dec 14 15:04:12 debian slapd[3597]: oc_check_required entry (cn=config), objectClass "olcGlobal"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "objectClass"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "cn"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcArgsFile"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcPidFile"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcToolThreads"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "structuralObjectClass"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryUUID"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "creatorsName"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "createTimestamp"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcConnMaxPending"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcLogLevel"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "olcTLSVerifyClient"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "entryCSN"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "modifiersName"
Dec 14 15:04:12 debian slapd[3597]: oc_check_allowed type "modifyTimestamp"
Dec 14 15:04:12 debian slapd[3597]: send_ldap_result: conn=1031 op=1 p=3
Dec 14 15:04:12 debian slapd[3597]: send_ldap_response: msgid=2 tag=103 err=53
Dec 14 15:04:12 debian slapd[3597]: connection_get(13): got connid=1031
Dec 14 15:04:12 debian slapd[3597]: connection_read(13): checking for input on id=1031
Dec 14 15:04:12 debian slapd[3597]: op tag 0x42, time 1450101852
Dec 14 15:04:12 debian slapd[3597]: ber_get_next on fd 13 failed errno=0 (Success)
Dec 14 15:04:12 debian slapd[3597]: conn=1031 op=2 do_unbind
Dec 14 15:04:12 debian slapd[3597]: connection_close: conn=1031 sd=13
Dec 14 15:04:58 debian slapd[3597]: slap_listener_activate(11):
Dec 14 15:04:58 debian slapd[3597]: >>> slap_listener(ldapi:///)
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x60, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=0 do_bind
Dec 14 15:04:58 debian slapd[3597]: >>> dnPrettyNormal: <>
Dec 14 15:04:58 debian slapd[3597]: <<< dnPrettyNormal: <>, <>
Dec 14 15:04:58 debian slapd[3597]: do_bind: dn () SASL mech EXTERNAL
Dec 14 15:04:58 debian slapd[3597]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
Dec 14 15:04:58 debian slapd[3597]: <==slap_sasl2dn: Converted SASL name to <nothing>
Dec 14 15:04:58 debian slapd[3597]: SASL Authorize [conn=1032]:  proxy authorization allowed authzDN=""
Dec 14 15:04:58 debian slapd[3597]: send_ldap_sasl: err=0 len=-1
Dec 14 15:04:58 debian slapd[3597]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0
Dec 14 15:04:58 debian slapd[3597]: send_ldap_response: msgid=1 tag=97 err=0
Dec 14 15:04:58 debian slapd[3597]: <== slap_sasl_bind: rc=0
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x63, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=1 do_search
Dec 14 15:04:58 debian slapd[3597]: >>> dnPrettyNormal: <cn=config>
Dec 14 15:04:58 debian slapd[3597]: <<< dnPrettyNormal: <cn=config>, <cn=config>
Dec 14 15:04:58 debian slapd[3597]: ==> limits_get: conn=1032 op=1 self="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" this="cn=config"
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn=module{0},cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn={0}core,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn={1}cosine,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn={2}nis,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="cn={3}inetorgperson,cn=schema,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="olcBackend={0}mdb,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="olcDatabase={-1}frontend,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="olcDatabase={0}config,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: => send_search_entry: conn 1032 dn="olcDatabase={1}mdb,cn=config"
Dec 14 15:04:58 debian slapd[3597]: <= send_search_entry: conn 1032 exit.
Dec 14 15:04:58 debian slapd[3597]: send_ldap_result: conn=1032 op=1 p=3
Dec 14 15:04:58 debian slapd[3597]: send_ldap_response: msgid=2 tag=101 err=0
Dec 14 15:04:58 debian slapd[3597]: connection_get(13): got connid=1032
Dec 14 15:04:58 debian slapd[3597]: connection_read(13): checking for input on id=1032
Dec 14 15:04:58 debian slapd[3597]: op tag 0x42, time 1450101898
Dec 14 15:04:58 debian slapd[3597]: ber_get_next on fd 13 failed errno=0 (Success)
Dec 14 15:04:58 debian slapd[3597]: conn=1032 op=2 do_unbind
Dec 14 15:04:58 debian slapd[3597]: connection_close: conn=1032 sd=13

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.23-4
ii  debconf [debconf-2.0]       1.5.56
ii  libc6                       2.19-18+deb8u1
ii  libdb5.3                    5.3.28-9
ii  libgnutls-deb0-28           3.3.8-6+deb8u3
ii  libldap-2.4-2               2.4.40+dfsg-1+deb8u1
ii  libltdl7                    2.4.2-1.11
ii  libodbc1                    2.3.1-3
ii  libperl5.20                 5.20.2-3+deb8u1
ii  libsasl2-2                  2.1.26.dfsg1-13+deb8u1
ii  libslp1                     1.2.1-10+deb8u1
ii  libwrap0                    7.6.q-25
ii  lsb-base                    4.1+Debian13+nmu1
ii  multiarch-support           2.19-18+deb8u1
ii  perl [libmime-base64-perl]  5.20.2-3+deb8u1
ii  psmisc                      22.21-2

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.26.dfsg1-13+deb8u1

Versions of packages slapd suggests:
ii  ldap-utils                                             2.4.40+dfsg-1+deb8u1
pn  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi  <none>

-- debconf information:
* slapd/password1: (password omitted)
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
  slapd/password_mismatch:
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/upgrade_slapcat_failure:
  slapd/unsafe_selfwrite_acl:
* slapd/no_configuration: false
* slapd/move_old_database: true
  slapd/invalid_config: true
* slapd/purge_database: true
* slapd/allow_ldap_v2: false
* slapd/domain: moi.fr
  slapd/dump_database: when needed
* slapd/backend: MDB
* shared/organization: moi.fr

More information about the Pkg-openldap-devel mailing list