• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

OpenLDAP with StartTLS broken on Debian Lenny

I'm trying to get OpenLDAP on Lenny to work with StartTLS. I have a Fedora 13 machine which I'm using as a client for testing. So far the Fedora client is ignoring the 'host' directive in /etc/ldap.conf when I try to connect using ldapsearch. The client wants to connect to even if I specify -H ldaps://server.name on when using ldapsearch. /etc/ldap.conf on the client machine is in mode 444.

But even when I try connecting locally from an ssh session, I see errors like this: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Someone hit me with a cluebat, plz.

Update: you must use ~/.ldaprc for settings such as 'host'. Also, I just used nmap against the ldap server and it showed 636 and 389 in an open state.

Here's what prints to screen when I try to connect with, ldapsearch -ZZ –x '(objectclass=*)'+ -d -1

ldap_new_connection 1 1 0
ldap_connect_to_host: TCP
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ber_scanf fmt ({it) ber:
ber_dump: buf=0x9bdbdb8 ptr=0x9bdbdb8 end=0x9bdbdd7 len=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...  
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037   
ber_scanf fmt ({) ber:
ber_dump: buf=0x9bdbdb8 ptr=0x9bdbdbd end=0x9bdbdd7 len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...  
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037        
ber_flush2: 31 bytes to sd 3
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...  
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037   
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...  
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037   
ldap_result ld 0x9bd3050 msgid 1
wait4msg ld 0x9bd3050 msgid 1 (infinite timeout)
wait4msg continue ld 0x9bd3050 msgid 1 all 1
** ld 0x9bd3050 Connections:
* host:  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Sun Jun  6 12:54:05 2010

** ld 0x9bd3050 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x9bd3050 request count 1 (abandoned 0)
** ld 0x9bd3050 Response Queue:
  ld 0x9bd3050 response count 0
ldap_chkResponseList ld 0x9bd3050 msgid 1 all 1
ldap_chkResponseList returns ld 0x9bd3050 NULL
read1msg: ld 0x9bd3050 msgid 1 all 1
ldap_read: want=8, got=0

ber_get_next failed.
ldap_start_tls: Can't contact LDAP server (-1)
      • 2
    • TLS: warning: cacertdir not implemented for gnutls I see the above every time I start ldap with slapd -u openldap -d 256 -f /etc/ldap/slapd.conf

by default, the client checks for the server's cert. Just add "TLS_REQCERT never" to /etc/openldap/ldap.conf

  • 1
Reply Report
    • Thanks, yeah. If I have TLSCACertificatePath /etc/ssl/certs/ in my slapd.conf file I see slapd complain that gnutls does not support that directive. So when I comment it out and slapd starts without complaining, I'm not sure if it can find the cacert file it needs.
    • Done. Now I'm seeing, "ldap_bind: Invalid credentials (49)" on the client side and: conn=6 fd=13 ACCEPT from IP= (IP= conn=6 op=0 BIND dn="cn=admin,dc=oplz,dc=yo" method=128 conn=6 op=0 RESULT tag=97 err=49 text= conn=6 fd=13 closed (connection lost)
      • 1
    • Just try with ldaps, instead of ldap + starttls. See whether you have any issues. Second, as sybreon mentioned, openldap folks claim that one should not link slapd binaries with gnutls.

I've managed to get SSL working with SLAPD on Lenny recently. While I do not remember exactly what I did, I do recall it having something to do with the difference in ciphers between GNUTLS and OPENSSL. The SLAPD packages for Lenny were compiled against GNUTLS. Might have something to do with this.

  • 0
Reply Report

It looks like it can't read the key file. You should have an unpassworded key. Add openldap to the ssl-cert group. Make the group on the key ssl-cert and the permissions 440. The openssl s_client command can be used to debug tls issues.

  • 0
Reply Report
      • 1
    • I followed the instructions in Matt Butcher's book for setting up the keys in the "clear" (password stripped) method. I added my openldap user to the ssl-cert group like you said. Now I'm getting ldap_bind: Invalid credentials (49) errors. Not sure if that's progress. Heh.
    • Try the connecting using the open ssk tools. They help reolving tls issues. Try adding -w (simple authentication) to the command line. It defaults to sasl I believe.

If you have an SSL certificate that is signed by an intermediate certificate (which isn't uncommon these days) you will have problems with TLS in slapd under Lenny. As mentioned by sybreon Lenny slapd links with GNUTLS, which doesn't support all of the options you need.

The solution is to use the Lenny backport of slapd. However we've found that the 2.4.17-2.1~bpo50+1 backport compiles against libdb4.6, which has a bug in it that affects us after running for about a week.

So at this point I don't recommend using Lenny to run slapd if you need TLS. Upgrade to squeeze instead.

  • 0
Reply Report

Trending Tags