Bug#381788: [Pkg-openldap-devel] Bug#381788: slapd: TLS connections fail when running as non-root

Matthijs Mohlmann matthijs at cacholong.nl
Mon Aug 7 20:43:24 UTC 2006 

On Sun, 06 Aug 2006 17:10:24 -0600
Michael Berg <michaeljberg at gmail.com> wrote:

> Package: slapd
> Version: 2.3.25-1
> Severity: normal
> 
> I've had this problem in both slapd 2.3.24-2 and 2.3.25-1.
> When slapd is running as root, everything works perfectly.  But when running
> as a non-root user (like the new default "openldap"), TLS connections fail.
> This effects both port 389+starttls and port 636.
> 
> When slapd is running as root, the command
> "openssl s_client -connect 127.0.0.1:636 -CAfile /etc/ssl/certs/mydomain.dyndns.org_CA.pem"
> successfully establishes a TLSv1 connection to the SSL/TLS port.
> 
> When slapd is running as the "openldap" user and group,
> the same command produces the following:
> ==========
> CONNECTED(00000003)
> depth=1 /C=US/O=mydomain/OU=Certificate Authority/L=MyCity/ST=MyState/CN=mydomain.dyndns.org
> verify return:1
> depth=0 /C=US/O=mydomain/OU=LDAP Server/L=MyCity/ST=MyState/CN=ldap.mydomain.dyndns.org
> verify return:1
> 1878:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
> 1878:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
> ==========
> 
> 
> ldapsearch and most other packages on my system are configured to use port 389+starttls
> ==========
> $ ldapsearch -x -ZZ
> 
> ldap_start_tls: Connect error (-11)
>         additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> ==========
> (This same command succeeds when slapd is running as root)
> 
> 
> Just to make sure slapd is working:
> ==========
> $ ldapsearch -x
> 
> # search result
> search: 2
> result: 13 Confidentiality required
> text: confidentiality required
> 
> # numResponses: 1
> ==========
> (which shows that slapd is running, and is requiring confidentiality as configured)
> 
> 
> And if I disable the requirement for confidentiality in slapd.conf,
> "ldapsearch -x" successfully returns everything that is should from the LDAP database.
> 
> 
> I've made sure that everything listed in slapd's README.Debian.gz for
> "Running slapd under a different uid/gid" holds true.
>  - openldap user and group are present in the system passwd/group files
> 	$ getent passwd openldap
> 	openldap:x:100:121:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
> 	$getent group openldap
> 	openldap:x:121:
>  - SLAPD_USER and SLAPD_GROUP are both set to "openldap" in /etc/default/slapd.
>  - /var/lib/ldap and all files in it have user:group of openldap:openldap.
>  - Permissions and user:group on slapd.conf have been set to
> 	-rw-r----- root:openldap
>  - Permissions and user:group on /var/run/slapd are
> 	drwxr-xr-x openldap:openldap
> 
> The SSL/TLS private cert is in a location readable by the openldap user and group.
> The SSL/TLS public cert is in a location readable by everyone on the system.
> 
> 
> The TLS-relevant portions of my slapd.conf are
> ==========
> # TLS configuration
> TLSCipherSuite		HIGH:!ADH
> TLSCACertificateFile	/etc/ssl/certs/mydomain.dyndns.org_CA.pem
> TLSCertificateFile	/etc/ssl/certs/ldap.mydomain.dyndns.org.pem
> TLSCertificateKeyFile	/etc/ldap/private/ldap.mydomain.dyndns.org.pem
> TLSCRLCheck		none
> TLSVerifyClient		never
> # Require at least 128 bit encryption for all operations
> security	ssf=128
> ==========
> 
> 
> And just for completeness, here are the contents of my ldap.conf file that
> ldap clients use
> ==========
> BASE	dc=mydomain,dc=dyndns,dc=org
> URI	ldap://ldap.mydomain.dyndns.org
> TLS_CIPHER_SUITE	HIGH:!ADH
> TLS_CACERT		/etc/ssl/certs/mydomain.dyndns.org_CA.pem
> TLS_REQCERT		demand
> TLS_CRLCHECK		none
> ==========
> 
This is the complete content of ldap.conf on the clients ? 

> 
> I even tried purging slapd, reinstalling it, and re-populating it from scratch
> (I didn't just reload a DB backup).
> 
> The fresh install worked fine as non-root until a reboot - at which point the
> problem described above returned and TLS connections fail.
> 
That's strange.

> I've tried running slapd with various debug levels and with strace - looking for
> problems opening any files or other errors, but if it's in there, I'm not seeing it.
> 
> 
> Several of the search results for "error:14094410:SSL" mention client certificates,
> but I've specified "TLSVerifyClient never" in slapd.conf and it still doesn't explain
> why this behavior only shows up when running as non-root.
> 
> If there is any specific debug output (slapd -d, strace, ltrace, gdb, etc) you need
> to help diagnose the cause, just let me know and I'd by happy to provide it.
> 

I've just tried with the same TLS settings and I can't reproduce the
problem somehow. User is openldap group is openldap all permissions are fine:

root at monster # ldapsearch -x-ZZ
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# numResponses: 3
# numEntries: 2

root at monster # ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required

# numResponses: 1

--

Can you please send the output of: ldapsearch -x -ZZ -d 7

Regards,

Matthijs Mohlmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060807/1008a408/signature-0001.pgp

More information about the Pkg-openldap-devel mailing list