Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3) 2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 );
We should change / append to this to clarify:
if (rc < 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0);
if (rc > 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
I will submit a patch.
~BAS
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option() RC Return Code -1 could happen in about a dozen places. I think we need to take a two step approach to fixing this: 1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.
2) Short term, in servers/slapd/main.c: Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 ); We should change / append to this to clarify: if (rc< 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0);
if (rc> 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
Pointless, since all failures inside init_ctx already call tlso_report_error().
On 02/19/10 11:51, Howard Chu wrote:
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option() RC Return Code -1 could happen in about a dozen places. I think we need to take a two step approach to fixing this: 1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.
2) Short term, in servers/slapd/main.c: Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 ); We should change / append to this to clarify: if (rc< 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0); if (rc> 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
Pointless, since all failures inside init_ctx already call tlso_report_error().
Great, however it doesn't change the fact that no meaningful error is being reported:
(slapd runs as the user ldap) # chown root certs/ldap.key.pem # ls -la certs/ldap.key.pem -r-------- 1 root wheel 1679 Feb 19 18:29 certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:36:45 slapd[85526]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:36:45 slapd[85526]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:36:45 slapd[85526]: line 34 (moduleload back_bdb) Feb 19 18:36:45 slapd[85526]: loaded module back_bdb Feb 19 18:36:45 slapd[85526]: module back_bdb: null module registered Feb 19 18:36:45 slapd[85526]: line 35 (moduleload back_ldap) Feb 19 18:36:45 slapd[85526]: loaded module back_ldap Feb 19 18:36:45 slapd[85526]: module back_ldap: null module registered Feb 19 18:36:45 slapd[85526]: line 38 (disallow bind_anon) Feb 19 18:36:45 slapd[85526]: line 59 (database bdb) Feb 19 18:36:45 slapd[85526]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 66 (rootpw ***) Feb 19 18:36:45 slapd[85526]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:36:45 slapd[85526]: line 72 (TLSVerifyClient allow) Feb 19 18:36:45 slapd[85526]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:36:45 slapd[85526]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:36:45 slapd[85526]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:36:45 slapd[85526]: line 86 (directory /var/db/openldap-data) Feb 19 18:36:45 slapd[85526]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:36:45 slapd[85526]: index objectClass 0x0004 Feb 19 18:36:45 slapd[85526]: index entryCSN 0x0004 Feb 19 18:36:45 slapd[85526]: index entryUUID 0x0004 Feb 19 18:36:45 slapd[85526]: main: TLS init def ctx failed: -1 Feb 19 18:36:45 slapd[85526]: slapd stopped. Feb 19 18:36:45 slapd[85526]: connections_destroy: nothing to destroy.
# chown ldap certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:37:49 slapd[85545]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:37:49 slapd[85545]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:37:49 slapd[85545]: line 34 (moduleload back_bdb) Feb 19 18:37:49 slapd[85545]: loaded module back_bdb Feb 19 18:37:49 slapd[85545]: module back_bdb: null module registered Feb 19 18:37:49 slapd[85545]: line 35 (moduleload back_ldap) Feb 19 18:37:49 slapd[85545]: loaded module back_ldap Feb 19 18:37:49 slapd[85545]: module back_ldap: null module registered Feb 19 18:37:49 slapd[85545]: line 38 (disallow bind_anon) Feb 19 18:37:49 slapd[85545]: line 59 (database bdb) Feb 19 18:37:49 slapd[85545]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 66 (rootpw ***) Feb 19 18:37:49 slapd[85545]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:37:49 slapd[85545]: line 72 (TLSVerifyClient allow) Feb 19 18:37:49 slapd[85545]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:37:49 slapd[85545]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:37:49 slapd[85545]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:37:49 slapd[85545]: line 86 (directory /var/db/openldap-data) Feb 19 18:37:49 slapd[85545]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:37:49 slapd[85545]: index objectClass 0x0004 Feb 19 18:37:49 slapd[85545]: index entryCSN 0x0004 Feb 19 18:37:49 slapd[85545]: index entryUUID 0x0004 Feb 19 18:37:50 slapd[85546]: bdb_db_open: "dc=xxxxxxxx,dc=com" Feb 19 18:37:50 slapd[85546]: slapd starting Feb 19 18:37:50 slapd[85546]: daemon: added 4r listener=0x0 Feb 19 18:37:50 slapd[85546]: daemon: added 6r listener=0x801839180 Feb 19 18:37:50 slapd[85546]: daemon: added 7r listener=0x801839240 Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: activity on 1 descriptor Feb 19 18:37:50 slapd[85546]: daemon: waked Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL
Any suggestions on getting these errors to actually print?
Any suggestions on getting these errors to actually print?
$ slapd -d stats @(#) $OpenLDAP: slapd 2.X (Feb 12 2010 08:50:42) $ masarati@mbdyn-nb.aero.polimi.it:/home/masarati/Lavoro/masarati/Ldap/ldap-devel/servers/slapd TLS: could not use certificate `noaccess/cert.crt'. TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:352 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:470 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy.
Something like this?
p.
On 2/19/2010 4:03 PM, masarati@aero.polimi.it wrote:
Any suggestions on getting these errors to actually print?
$ slapd -d stats @(#) $OpenLDAP: slapd 2.X (Feb 12 2010 08:50:42) $ masarati@mbdyn-nb.aero.polimi.it:/home/masarati/Lavoro/masarati/Ldap/ldap-devel/servers/slapd TLS: could not use certificate `noaccess/cert.crt'. TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:352 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:470 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy.
Something like this?
p.
Thank you. This is exactly what I was looking for. The problem in my case is that these errors go to stdout and are not logged via syslog. Even with full debugging turned on, you will see no such errors printed to logs, although all the other data is. This doesn't jive well with many systems in which the daemons are started via scripts (FreeBSD / NetBSD rc.d, linux init.d) in which daemon output to stdout is often lost.
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option() RC Return Code -1 could happen in about a dozen places. I think we need to take a two step approach to fixing this: 1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.
I think I see the issue: tlso_report_error() uses libldap's Debug(), which does not hit syslog. We only see TLS logs with -d stats.
p.
openldap-software@openldap.org