It took me quite some time to figure out a small configuration error (concerning ldapi:// confidentiality required) and I just want to let you know about it and possibly save you some time during your next debugging session:
Security strength factor "olcSecurity: ..." values that are differing between cn=config.ldif and for example cn=config/olcDatabase={-1}frontend.ldif might lead to strange ldapi-related "confidentiality required" effects that temporarily disappear right after online-re-configuration (via cn=config) - but they appear again right after any slapd restart...
Disclaimer: The cause for the problem (differing cn=config database-specific olcSecurity values) is a result of a mis-configuration and don't seems to be a general slapd problem, but as we are all able to online (mis-)configure slapd via cn=config it's possibly of common interest. ;-) Only in case there's no need for these kind of differences (for any special slapd configuration scenario) might be slapd could detect them and inform the user about it?
After re-aligning cn=config.ldif's and cn=config/olcDatabase={-1}frontend.ldif's olcSecurity settings the following strange behavior has disappeared and slapd runs and answers fine - even after its restart.
slapd version: CVS HEAD
1.) empty database directory: root@tingletangle:/usr/local/openldap/etc/openldap# ls -al /usr/local/openldap/var/openldap-data/foo.bar/* -rw-r--r-- 1 openldap openldap 368 Jun 17 22:50 /usr/local/openldap/var/openldap-data/foo.bar/DB_CONFIG
2.) relevant slapd.d's content: root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSec slapd.d/ slapd.d/cn=config.ldif:olcSecurity: simple_bind=128 slapd.d/cn=config.ldif:olcSecurity: ssf=128 slapd.d/cn=config.ldif:olcSecurity: tls=0 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: ssf=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: tls=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: update_ssf=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: simple_bind=128 slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:59 NAME 'olcSecurity' EQUALITY caseIgnoreMatch slapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity slapd.d/cn=config/cn=schema.ldif: cRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: ssf=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: tls=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: update_ssf=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: simple_bind=128
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcLocal slapd.d/ slapd.d/cn=config.ldif:olcLocalSSF: 128 slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:26 NAME 'olcLocalSSF' SYNTAX OMsInteger SINGLE- slapd.d/cn=config/cn=schema.ldif: p $ olcIndexIntLen $ olcLocalSSF $ olcLogFile $ olcLogLevel $ olcPasswordCryp
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSaslSecProps slapd.d/ slapd.d/cn=config.ldif:olcSaslSecProps: noplain,noanonymous slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:56 NAME 'olcSaslSecProps' SYNTAX OMsDirectorySt slapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity
summary (cn=config.ldif): olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0 olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous
summary (olcDatabase={-1}frontend.ldif and olcDatabase={1}monitor.ldif) olcSecurity: ssf=128 olcSecurity: tls=128 olcSecurity: update_ssf=128 olcSecurity: simple_bind=128
So, now let's have some fun with the above configuration especially with points 8.) 12.) 14.) 22.) 23.)
3.) populate slapd's database (data + cn=config) and index the data: /usr/local/openldap/sbin/slapadd -v -F slapd.d -b "dc=foo,dc=bar" -l dump-dc=foo,dc=bar-20100718.ldif /usr/local/openldap/sbin/slapindex -v -F slapd.d -b "dc=foo,dc=bar" chown -R openldap:openldap /usr/local/openldap
4.) start slapd: /usr/local/openldap/libexec/slapd \ -F /usr/local/openldap/etc/openldap/slapd.d \ -u openldap -g openldap \ -l local4 \ -h "ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ ldaps://[::]:636/"
5.) check whether slapd is running: root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slapd | grep -v grep openldap 1605 1 1 23:43 ? 00:00:00 /usr/local/openldap/libexec/slapd -F /usr/local/openldap/etc/openldap/slapd.d -u openldap -g openldap -l local4 -h ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ ldaps://[::]:636/
6.) check slapd's listeners: root@tingletangle:/usr/local/openldap/etc/openldap# netstat -nap | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1605/slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1605/slapd tcp6 0 0 :::389 :::* LISTEN 1605/slapd tcp6 0 0 :::636 :::* LISTEN 1605/slapd unix 2 [ ACC ] STREAM LISTENING 4730 1605/slapd /usr/local/openldap/var/run/ldapi unix 2 [ ] DGRAM 4724 1605/slapd
7.) check cn=config's content: 7a1.) ldapsearch cn=config (ldapi:// without -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required 7a2.) ldapsearch cn=config (ldap:// without -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
7b1.) ldapsearch cn=config (ldapi:// with -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
7b2.) ldapsearch cn=config (ldap:// with -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
8.) change "olcSecurity: tls=0" into "olcSecurity: tls=1" root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -Z -f tls_modify_0-1.ldif ldap_initialize( ldap://localhost:389/??base ) Enter LDAP Password: delete olcSecurity: tls=0 add olcSecurity: tls=1 modifying entry "cn=config" modify complete
9.) check whether modify in deed completed: root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
10.) ldapsearch cn=config (ldapi:// without -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
11.) ldapsearch cn=config (ldapi:// with -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
12.) change "olcSecurity: tls=1" back into "olcSecurity: tls=0" root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -Z -f tls_modify_1-0.ldif ldap_initialize( ldap://localhost:389/??base ) Enter LDAP Password: delete olcSecurity: tls=1 add olcSecurity: tls=0 modifying entry "cn=config" modify complete
13.) check whether modify in deed completed: root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
14.) ldapsearch cn=config (ldapi:// without -Z now seem to work?!): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
15.) ldapsearch cn=config (ldapi:// with -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base -Z olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
16.) killall slapd: root@tingletangle:/usr/local/openldap/etc/openldap# killall slapd root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slap root 1650 1525 0 00:01 pts/0 00:00:00 grep slap
17.) re-check relevant slapd.d's content: root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSec slapd.d/ slapd.d/cn=config.ldif:olcSecurity: simple_bind=128 slapd.d/cn=config.ldif:olcSecurity: ssf=128 slapd.d/cn=config.ldif:olcSecurity: tls=0 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: ssf=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: tls=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: update_ssf=128 slapd.d/cn=config/olcDatabase={1}monitor.ldif:olcSecurity: simple_bind=128 slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:59 NAME 'olcSecurity' EQUALITY caseIgnoreMatch slapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity slapd.d/cn=config/cn=schema.ldif: cRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: ssf=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: tls=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: update_ssf=128 slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcSecurity: simple_bind=128
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcLocal slapd.d/ slapd.d/cn=config.ldif:olcLocalSSF: 128 slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:26 NAME 'olcLocalSSF' SYNTAX OMsInteger SINGLE- slapd.d/cn=config/cn=schema.ldif: p $ olcIndexIntLen $ olcLocalSSF $ olcLogFile $ olcLogLevel $ olcPasswordCryp
root@tingletangle:/usr/local/openldap/etc/openldap# grep -r olcSaslSecProps slapd.d/ slapd.d/cn=config.ldif:olcSaslSecProps: noplain,noanonymous slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgGlAt:56 NAME 'olcSaslSecProps' SYNTAX OMsDirectorySt slapd.d/cn=config/cn=schema.ldif: ontUseCopyIgnore $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity
summary (cn=config.ldif): olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0 olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous
summary (olcDatabase={-1}frontend.ldif) olcSecurity: ssf=128 olcSecurity: tls=128 olcSecurity: update_ssf=128 olcSecurity: simple_bind=128
18.) re-start slapd: /usr/local/openldap/libexec/slapd \ -F /usr/local/openldap/etc/openldap/slapd.d \ -u openldap -g openldap \ -l local4 \ -h "ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ ldaps://[::]:636/"
19.) check whether slapd is running: root@tingletangle:/usr/local/openldap/etc/openldap# ps -ef | grep slapd | grep -v grep openldap 1656 1 1 00:07 ? 00:00:00 /usr/local/openldap/libexec/slapd -F /usr/local/openldap/etc/openldap/slapd.d -u openldap -g openldap -l local4 -h ldaps://0.0.0.0:636/ ldap://0.0.0.0:389 ldapi:/// ldap://[::]:389/ ldaps://[::]:636/
20.) check slapd's listeners: root@tingletangle:/usr/local/openldap/etc/openldap# netstat -npa | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1656/slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1656/slapd tcp6 0 0 :::389 :::* LISTEN 1656/slapd tcp6 0 0 :::636 :::* LISTEN 1656/slapd unix 2 [ ACC ] STREAM LISTENING 5292 1656/slapd /usr/local/openldap/var/run/ldapi unix 2 [ ] DGRAM 5286 1656/slapd
21.) ldapsearch cn=config (ldapi:// without -Z): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
22.) ldapmodify cn=config olcSecurity: tls=0 --> tls=1 --> tls=0 root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapmodify -v -a -x -H ldap://localhost -D "cn=ldapmanager,cn=config" -W -Z -f tls_modify_0-1-0.ldif ldap_initialize( ldap://localhost:389/??base ) Enter LDAP Password: delete olcSecurity: tls=0 add olcSecurity: tls=1 delete olcSecurity: tls=1 add olcSecurity: tls=0 modifying entry "cn=config" modify complete
23.) ldapsearch cn=config (ldapi:// without -Z now works again until next slapd restart): root@tingletangle:/usr/local/openldap/etc/openldap# /usr/local/openldap/bin/ldapsearch -x -H ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi -D "cn=ldapmanager,cn=config" -W -b 'cn=config' -s base olcSecurity olcSaslSecProps olcLocalSSF Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: olcSecurity olcSaslSecProps olcLocalSSF #
# config dn: cn=config olcLocalSSF: 128 olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=0
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1