[Bug 420277] Re: ldap tls refusing to initialize
Marking this bug as invalid - seems that most of the issues reported here are configuration issues: file permissions, apparmor profile, certifcates chain. ** Changed in: openldap (Ubuntu) Status: Confirmed = Invalid -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
** Changed in: openldap (Ubuntu) Importance: Undecided = Low -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
For the time being, I posted an update for the network-auth.xml in ubuntu-docs. https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/437483 -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
I was using the how-to referenced by the OP. I was also using this one on certificates. https://help.ubuntu.com/9.04/serverguide/C/certificates-and- security.html What got me messed up was a small, but important point that got lost between the two how-tos. The LDAP how-to takes advantage of the group ssl-cert which has read privileges on /etc/ssl/private. They had the nifty idea of putting the openldap account into the ssc-cert group. The certificate how-to says to put the key into the /etc/ssl/private. This is fine, but while the /etc/ssl/private folder was readable by openldap, the new copied keyfile was not. Unfortunately for me (and probably others) the only error I got was the one the OP was also getting. A trick I discovered can help: become root: sudo -i become openldap:su openldap check priviledges: cat /etc/ssl/private/nameofmyserver.key It helped me track down the answer. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
In the meantime, does anybody have a work-around for this? I've hit this problem on a vanilla Ubuntu 9.04 server install and can't get past it! -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Yes, continues to be annoying. One thing to do is to carefully verify the certificate chain you have configured for LDAP use. If the certificate is self-signed, then don't configure the olcCACertificateFile item. Otherwise, make sure the CA signing the certificate has its certificate in this property. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Well, after much pain and suffering for me it turned out to be a simple permissions problem. I believe the how-to should be changed to ensure this doesn't happen to anyone else. Problem was that my private keyfile did not provide read permissions to the group. sudo chmod g+r /etc/ssl/private/myserver.key and viola...everything works. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Thanks Dave. I agree about the docs on this. Can you comment on which howto you were using? -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Playing around with the source today and debugging slapd with gdb.
It appears that much of the pain here is in tls_g.c, the wrappers for
gnutls. The function tlsg_ctx_init in particular. This is where, at
least for my configuration, most of the failures are occurring. And the
code in this function often makes a call onto a gnutls function, as in:
if (lo-ldo_tls_cacertfile != NULL) {
rc = gnutls_certificate_set_x509_trust_file(
ctx-cred,
lt-lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc 0 ) return -1;
}
and doesn't really do anything with the return code. There are 3 places
in tlsg_ctx_init where this occurs with no logging of what the actual
error code was. It just returns -1, rather than a more specific error
code. Upshot is that we simply get a -1 error code in the log with no
further advice on the specific problem.
The code in tls_o.c for this function and others seems better developed
and reports more useful error codes.
With a self-signed certificate, and setting only the olcTLSCertificateFile
olcTLSCertificateKeyFile, the server works and does answer properly when trying
with a command on another machine like:
openssl s_client -connect ldapServerIP:636 -showcerts
If oldTLSCACertificateFile is set to the self-signed certificate, slapd
fails to initialize TLS.
I suspect most of the problems being reported are due to configuration
issues, like those reported by Christian R. Without better error output,
it is very difficult to figure these out.
Now I'd be delighted to try and add more debugging and produce a patch;
however, perhaps I can get a bit of help with the packaging?
I've been able to get the source with 'apt-get source libldap-2.4-2',
and go in change the debian/configure.options, followed by a 'debchange
-i' and 'debuild -us -uc -i -I', then a 'sudo debi', and get a version
with debugging symbols installed.
What has been eluding me (after reading the HOWTO and several other
tutorials), is how to get changes in the source to build into the
package properly when installed and how to get other Debug statements to
work (though perhaps that is just because the packaging isn't working
right, since the machine language statements in the debugger don't agree
with the source listed in gdb, ouch). With a -nc option on debuild it
builds, but likely isn't actually including the changes. Without the
-nc, it complains about the upstream patches not being able to be
applied.
Hopefully someone can point me to the correct descriptions or give me
some help on this one.
Of course, a fixed up package with better error output from one of the
openldap gurus would be most welcome!
thanks,
Peter
--
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Same here. I have a vanilla Januty install (Atom-330 with 64-bit Januty, if this makes any difference) and following the above instructions that Peter referenced fails for me with the same error and my ldap.conf also doesn't have this TLS_RANDFILE set. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Interesting. My version also was an upgrade from hardy-intrepid-jaunty. My /etc/ldap/ldap.conf doesn't contain a line about TLS_RANDFILE though, and my install doesn't report the TLS: gcry_control error, rather, there is nothing other than the main: TLS init def ctx failed: -1 complaint. I suspect these may be related problems, at least in the sense of hard to tell what is going wrong during initialization. I will likely later this weekend try to clear aside configuration and try a local build of openldap with debugging for gdb turned on and built against gnutls. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
I do confirm this.
And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is
broken by design! Do not wonder for strange behavior, if you do not
trust the core developers.
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
I have asked Howard a couple of days ago and he still stays at his
opinion. I think Debian/Ubuntu should not make changes from openssl to
gnutls!
For this bug:
...
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch):
matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES (
creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $
aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $
olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $
olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $
secretary $ associatedName $ dITRedirect ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $
supportedFeatures $ supportedApplicationContext ) )
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
And by the way: My certs are under /ca/ldapmaster.roessner-net.com
My profile for apparmor was working under intrepid. Upgrading from
intrepid to jaunty does not work.
# Last Modified: Tue Sep 2 13:08:01 2008
# Author: Jamie Strandboge ja...@ubuntu.com
#include tunables/global
/usr/sbin/slapd flags=(complain) {
#include abstractions/base
#include abstractions/nameservice
#include abstractions/ssl_certs
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
/ca/cacert_org.crt r,
/ca/ldapmaster.roessner-net.de/newcert.pem r,
/ca/ldapmaster.roessner-net.de/newkey.pem r,
/etc/gai.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ldap/ldap.conf r,
/etc/ldap/schema/* r,
/etc/ldap/slapd.conf r,
/etc/sasldb2 r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/usr/lib/ldap/ r,
/usr/lib/ldap/* mr,
/usr/sbin/slapd mr,
/var/lib/ldap/ r,
/var/lib/ldap/* rw,
/var/lib/ldap-ov/accesslog r,
/var/lib/ldap-ov/accesslog/* rw,
/var/lib/ldap/alock kw,
/var/lib/ldap-ov/accesslog/alock kw,
/var/run/slapd/* w,
}
No dmesg output that points to problems.
** Changed in: openldap (Ubuntu)
Status: New = Confirmed
--
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Interesting that there is the TLS complaint through TLS: gcry_control ... Nothing like that in mine. I was looking through the source a bit last night on this. It seems that the TLS init call is returning a -1 error code under some circumstances without really throwing another error message. Despite the problems with gnutls, it seems the ubuntu folks are committed to staying with it for licensing reasons. -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
** Changed in: openldap (Ubuntu) Status: Invalid = New -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 420277] Re: ldap tls refusing to initialize
Thanks Mr. Gug. I checked this, placing the apparmor profile into complain mode with sudo aa-complain /usr/sbin/slapd. The same problem occurs with an attempt to start slapd, but there are no entries in /var/log/kern.log associated and no audit entries. I also moved the certificates and keys generated using gnutls into /etc/ssl/certs and /etc/ssl/private. Still the same problem with no audit entries in the /var/log/kern.log. I'm not quite certain what is meant by standard locations, since https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html says to put then in /etc/ssl/certs and /etc/ssl/private under the TLS and SSL sections, though I am happy to try moving them anywhere that may help. Is there some setting I should be using to get more information out of gnutls about what may be going on? thanks, Peter -- ldap tls refusing to initialize https://bugs.launchpad.net/bugs/420277 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
