On 02/19/10 11:51, Howard Chu wrote:
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option() RC Return Code -1 could happen in about a dozen places. I think we need to take a two step approach to fixing this: 1) Long term, implement OpenSSL's err(3)What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.
2) Short term, in servers/slapd/main.c: Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 ); We should change / append to this to clarify: if (rc< 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0); if (rc> 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);Pointless, since all failures inside init_ctx already call tlso_report_error().
Great, however it doesn't change the fact that no meaningful error is being reported:
(slapd runs as the user ldap) # chown root certs/ldap.key.pem # ls -la certs/ldap.key.pem -r-------- 1 root wheel 1679 Feb 19 18:29 certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:36:45 slapd[85526]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:36:45 slapd[85526]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:36:45 slapd[85526]: line 34 (moduleload back_bdb) Feb 19 18:36:45 slapd[85526]: loaded module back_bdb Feb 19 18:36:45 slapd[85526]: module back_bdb: null module registered Feb 19 18:36:45 slapd[85526]: line 35 (moduleload back_ldap) Feb 19 18:36:45 slapd[85526]: loaded module back_ldap Feb 19 18:36:45 slapd[85526]: module back_ldap: null module registered Feb 19 18:36:45 slapd[85526]: line 38 (disallow bind_anon) Feb 19 18:36:45 slapd[85526]: line 59 (database bdb) Feb 19 18:36:45 slapd[85526]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 66 (rootpw ***) Feb 19 18:36:45 slapd[85526]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:36:45 slapd[85526]: line 72 (TLSVerifyClient allow) Feb 19 18:36:45 slapd[85526]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:36:45 slapd[85526]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:36:45 slapd[85526]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:36:45 slapd[85526]: line 86 (directory /var/db/openldap-data) Feb 19 18:36:45 slapd[85526]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:36:45 slapd[85526]: index objectClass 0x0004 Feb 19 18:36:45 slapd[85526]: index entryCSN 0x0004 Feb 19 18:36:45 slapd[85526]: index entryUUID 0x0004 Feb 19 18:36:45 slapd[85526]: main: TLS init def ctx failed: -1 Feb 19 18:36:45 slapd[85526]: slapd stopped. Feb 19 18:36:45 slapd[85526]: connections_destroy: nothing to destroy.
# chown ldap certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:37:49 slapd[85545]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:37:49 slapd[85545]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:37:49 slapd[85545]: line 34 (moduleload back_bdb) Feb 19 18:37:49 slapd[85545]: loaded module back_bdb Feb 19 18:37:49 slapd[85545]: module back_bdb: null module registered Feb 19 18:37:49 slapd[85545]: line 35 (moduleload back_ldap) Feb 19 18:37:49 slapd[85545]: loaded module back_ldap Feb 19 18:37:49 slapd[85545]: module back_ldap: null module registered Feb 19 18:37:49 slapd[85545]: line 38 (disallow bind_anon) Feb 19 18:37:49 slapd[85545]: line 59 (database bdb) Feb 19 18:37:49 slapd[85545]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 66 (rootpw ***) Feb 19 18:37:49 slapd[85545]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:37:49 slapd[85545]: line 72 (TLSVerifyClient allow) Feb 19 18:37:49 slapd[85545]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:37:49 slapd[85545]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:37:49 slapd[85545]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:37:49 slapd[85545]: line 86 (directory /var/db/openldap-data) Feb 19 18:37:49 slapd[85545]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:37:49 slapd[85545]: index objectClass 0x0004 Feb 19 18:37:49 slapd[85545]: index entryCSN 0x0004 Feb 19 18:37:49 slapd[85545]: index entryUUID 0x0004 Feb 19 18:37:50 slapd[85546]: bdb_db_open: "dc=xxxxxxxx,dc=com" Feb 19 18:37:50 slapd[85546]: slapd starting Feb 19 18:37:50 slapd[85546]: daemon: added 4r listener=0x0 Feb 19 18:37:50 slapd[85546]: daemon: added 6r listener=0x801839180 Feb 19 18:37:50 slapd[85546]: daemon: added 7r listener=0x801839240 Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: activity on 1 descriptor Feb 19 18:37:50 slapd[85546]: daemon: waked Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL
Any suggestions on getting these errors to actually print?