[Pkg-openldap-devel] Bug#837341: libldap fails to connect to ldaps servers without the ca-certificates package installed

Tero Marttila tero.marttila at paivola.fi
Sat Sep 10 18:37:17 UTC 2016 

Package: openldap
Version: 2.4.40+dfsg-1+deb8u2

The package libldap-2.4-2 ships a default configuration file for 
/etc/ldap/ldap.conf with the following:

> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

It appears that libldap fails to connect to any ldaps servers if the 
ca-certificates.crt file is missing, even if using 'TLS_REQCERT allow'. 
Installing the ca-certificates package allows the connection to succeed.

> $ echo 'TLS_REQCERT allow' >> /etc/ldap/ldap.conf
> $ ldapsearch -H ldaps://ldap/ -x -D uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> $ apt install ca-certificates
> ...
> $ ldapsearch -H ldaps://ldap/ -x -D uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
> ldap_bind: Invalid credentials (49)

I originally ran into this when setting up a Dovecot server within a 
Docker container, where the debian:jessie base image does not have the 
ca-certificates package installed, leading to some difficult to debug 
errors:

> $ ldapsearch -H ldaps://ldap/ -x -D uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> $ ldapsearch -H ldaps://ldap/ -x -D uid=postfix,cn=sysaccounts,cn=etc,dc=fixme,dc=fi -w 'asdf' uid=x -d 255
> ldap_url_parse_ext(ldaps://ldap/)
> ldap_create
> ldap_url_parse_ext(ldaps://ldap:636/??base)
> Enter LDAP Password:
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap:636
> ldap_new_socket: 4
> ldap_prepare_socket: 4
> ldap_connect_to_host: Trying 10.2.1.3:636
> ldap_pvt_connect: fd: 4 tm: -1 async: 0
> attempting to connect:
> connect success
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Where libldap does not even attempt to perform any SSL handshake:

> 21:02:24.925196 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [S], seq 2884225181, win 29200, options [mss 1460,sackOK,TS val 2056456265 ecr 0,nop,wscale 7], length 0
> 21:02:24.925699 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [S.], seq 4257908058, ack 2884225182, win 28960, options [mss 1460,sackOK,TS val 1581412247 ecr 2056456265,nop,wscale 7], length 0
> 21:02:24.925736 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [.], ack 1, win 229, options [nop,nop,TS val 2056456265 ecr 1581412247], length 0
> 21:02:24.928955 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 2056456266 ecr 1581412247], length 0
> 21:02:24.929761 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [.], ack 2, win 227, options [nop,nop,TS val 1581412252 ecr 2056456266], length 0
> 21:02:24.930484 IP 10.2.1.3.636 > 172.17.0.7.53531: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 1581412252 ecr 2056456266], length 0
> 21:02:24.930505 IP 172.17.0.7.53531 > 10.2.1.3.636: Flags [.], ack 2, win 229, options [nop,nop,TS val 2056456266 ecr 1581412252], length 0

Looking at strace, the missing TLS_CACERT file appears to be the cause:

> socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
> fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
> setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
> connect(4, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("10.2.1.3")}, 16) = 0
> close(3)                                = 0
> open("/dev/urandom", O_RDONLY)          = 3
> fcntl(3, F_GETFD)                       = 0
> fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
> fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
> getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 0}, ru_stime={0, 8000}, ...}) = 0
> read(3, "\312\250\243\334\274\263,\243:\245\226\332f\235'\214\23\3417\206\235i\301\212\16?\360y\23\372\6\246", 32) = 32
> read(3, "U\243\221\4\2463\213\203\314[*r\250_6\345\2400\25\215\7:\vu\211 \22\363\322j\324\254", 32) = 32
> read(3, "\203%rS\3739\217_", 8)         = 8
> fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
> open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = -1 ENOENT (No such file or directory)
> write(2, "ldap_sasl_bind(SIMPLE): Can't co"..., 55ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> ) = 55
> shutdown(4, SHUT_RDWR)                  = 0
> close(4)                                = 0
> close(3)                                = 0
> exit_group(-1) = ?

Further logs here:

> https://gist.github.com/SpComb/d4dcd44bca97fe2952a85833bccf7fc4

I suspect that the libldap package should have a Depends: on the 
ca-certificates package if this file is required for the correct 
operation of libldap?

  -- Tero Marttila

More information about the Pkg-openldap-devel mailing list