openldap-technical August 2009

openldap-technical@openldap.org

65 participants
73 discussions

ldap PDC -- Failed to issue the StartTLS instruction
by Ivan Ordonez 04 Aug '09

04 Aug '09

Hello, We've been using an ldap based PDC from quite a while. Now we're suddenly having trouble getting our main fileserver to talk with the PDC. samba-3.2.13 on solaris 10. Here is our smb.conf global defs: Server role: ROLE_DOMAIN_MEMBER [global] workgroup = CNRDOM server string = nature (Samba %v) security = DOMAIN passdb backend = ldapsam:ldaps://169.229.xxx.yyy log level = 5 log file = /var/log/samba/log.%m name resolve order = wins host lmhosts os level = 65 local master = No domain master = No dns proxy = No wins support = Yes ldap ssl = start tls When we start up samba, we see many lines like these in log.smbd: [2009/08/03 15:40:40, 1] lib/smbldap.c:another_ldap_try(1170) Connection to LDAP server failed for the 4 try! and these: [2009/08/03 15:51:56, 0] lib/smbldap.c:smb_ldap_start_tls(595) Failed to issue the StartTLS instruction: Can't contact LDAP server [2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_search_ext(1199) smbldap_search_ext: base => [], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-97)(sambaSIDList=S-1-22-2-97)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2] [2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_close(1103) The connection to the LDAP server was closed But over on the PDC (gentoo linux 2.6.29, samba-3.2.13 , openldap-2.4.27) we see this in tcpdump: $ tcpdump -vv -c 4 port ldaps tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:51:29.736629 IP (tos 0x0, ttl 61, id 60609, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56299 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0x6a18 (correct), 1637042825:1637042825(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK> 15:51:29.736651 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56299: R, cksum 0x6c68 (correct), 0:0(0) ack 1637042826 win 0 15:51:30.746803 IP (tos 0x0, ttl 61, id 60610, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56302 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0xa6d9 (correct), 2235230749:2235230749(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK> 15:51:30.746827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56302: R, cksum 0xa929 (correct), 0:0(0) ack 2235230750 win 0 It appears that there is indeed an ldaps conversation going on. We created new certificate on the PDC to see if certificate is the problem to no avail. Same message, and same problem. We disable firewall on the PDC as well and make sure that LDAP ports are all open. The Solaris 10 machine (ROLE_DOMAIN_MEMBER) and the PDC are on two different subnets. We're hoping someone will recognize this behavior and reveal our mistake to us. Or perhaps point out where we should check/debug/RTFM next.

2 3

olcDbConfig: value #14 provided more than once
by Matthew Edlefsen 03 Aug '09

03 Aug '09

Hello, I'm trying to do multi-master replication and after following the directions in the User Guide I came across the error: Aug 3 20:21:38 gabbro slapd[81578]: syncrepl_message_to_entry: rid=001 mods check (olcDbConfig: value #14 provided more than once) This is from the logs when it is syncing the cn=config tree. The especially odd thing about this error is that olcDbConfig is one of the numbered entries (the ones with {#} prepending each value), not to mention that the line is question is blank. This isn't the first time I've encountered this error when trying to do this type of thing (alas, I never got around to trying to fix it before :) ), so I'm hoping that means either I'm doing something obviously wrong or somebody has seen this before. Both servers are freebsd jails running FreeBSD 7.2 Stable. Here are some of the relevant configs. These are not the full entries, just the important bits. They are identical on both servers and they do sync parts of the config (everything up to the value that fails). dn: cn=config olcServerID: 1 ldap://rock.earlham.edu/ olcServerID: 2 ldap://gabbro.earlham.edu/ dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=dap://rock.earlham.edu/ binddn="<snip>" bindmethod=simple credentials=<snip> searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://gabbro.earlham.edu/ binddn="<snip>" bindmethod=simple credentials=<snip> searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcDatabase={1}bdb,cn=config olcDbConfig: {0}# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.4 2007/12/18 11:53:27 ghenry Exp $ olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. olcDbConfig: {2}# olcDbConfig: {3}# See the Oracle Berkeley DB documentation olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_co…> olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics. olcDbConfig: {6}# olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ olcDbConfig: {8}# <http://www.openldap.org/faq/index.cgi?file=2> olcDbConfig: {9}# in particular: olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075> olcDbConfig: {11} olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon rebuilding olcDbConfig: {13}# the DB environment. olcDbConfig: {14} olcDbConfig: {15}# one 1 GB cache olcDbConfig: {16}set_cachesize 0 1073741824 1 olcDbConfig: {17} olcDbConfig: {18}# Data Directory olcDbConfig: {19}#set_data_dir db olcDbConfig: {20} olcDbConfig: {21}# Transaction Log settings olcDbConfig: {22}set_lg_regionmax 262144 olcDbConfig: {23}set_lg_bsize 104857600 olcDbConfig: {24}set_lk_max_locks 100000 olcDbConfig: {25}#set_lg_dir logs olcDbConfig: {26} olcDbConfig: {27}# Note: special DB_CONFIG flags are no longer needed for "quick" olcDbConfig: {28}# slapadd(8) or slapindex(8) access (see their -q option). Thanks! Matt Edlefsen Earlham College

5 8

slapd + TLS + SAMBA
by Alessandro Baggi 02 Aug '09

02 Aug '09

Hi there. I've another problem with TLS slapd and samba. For each operation with slapd (ldapsearch -x -ZZ, getent, or samba tls connection) I receive from slapd: Aug 2 11:31:05 PDC slapd[1709]: connection_read(23): unable to get TLS client DN, error=49 id=4 What's the problem? My certificate? Certificate's creation is: /usr/lib/ssl/misc/CA.pl -newca openssl req -newkey rsa:1024 -nodes -keyout key.pem -out newreq.pem /usr/lib/ssl/misc/CA.pl -sign Then another problem is when I start slapd on the boot, after slapd startup, samba , that try to connect to ldap with tls, could not connect to slapd and give me: 2009/08/01 17:45:15, 10] lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26) [LDAP] ldap_parse_extended_result [2009/08/01 17:45:15, 10] lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26) [LDAP] ldap_parse_result [2009/08/01 17:45:15, 10] lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26) [LDAP] ldap_msgfree [2009/08/01 17:45:15, 10] lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26) [LDAP] TLS: can't connect: Error in the push function.. [2009/08/01 17:45:15, 0] lib/smbldap.c:smb_ldap_start_tls(596) [2009/08/01 17:45:15, 10] lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26) [LDAP] ldap_err2string Failed to issue the StartTLS instruction: Connect error This only if I put in slapd.conf TLSClientVerify demand, if I put TLSClientVerify never, samba connect to it, under TLS without problems. Another issue is that, if i run slapd on startup and run samba after login with /etc/init.d/samba start, it makes the connection successfully without error. In the same script of slapd boot I set an "ldapsearch -x -ZZ -d -1" I receive: TLS: can't connect: Error in the push function.. the same of samba. Anyone has ideas? The problem is in certificates? thanks in advance

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2009