Hi all,
I'm using openldap-2.4.31 compiled with gnutls25 on Rapsbmc (pre-compiled by the distribution) and I'm trying to make ldap+StartTls work with ldapsearch (simple ldap:// works like a charm).
After hitting the issue described at [1] , I've decided to use a self-signed CA cert generated with certtool, as described in [2]. This allowed me to establish the TLS connection. However, the client still sends the bind in clear text, then the server closes the connection.
The slapd.conf file is below (comments stripped; the client has the same CACert and cipher suites):
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -1
modulepath /usr/lib/ldap moduleload back_hdb
sizelimit 500
tool-threads 1
TLSCACertificateFile /etc/ldap/certs/selfsign/ca-cert.pem TLSCertificateKeyFile /etc/ldap/certs/selfsign/key.pem TLSCertificateFile /etc/ldap/certs/selfsign/cert.pem TLSCipherSuite NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-ALL:+AES-256-CBC:+CAMELLIA-256-CBC:+RSA:+SHA1:+SHA256 TLSVerifyClient never
The client output:
root@argyle:/home/pi# ldapsearch -x -H ldap://127.0.0.1 -Z -b 'dc=strainu,dc=ro' -Dcn=admin,dc=strainu,dc=ro -w bla ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_result: Can't contact LDAP server (-1)
And finally the server output:
root@argyle:/etc/ldap# /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d -1 53923fb1 @(#) $OpenLDAP: slapd (Apr 24 2013 17:35:25) $
buildd@build07.raspbian.lan:/build/openldap-nxJLrU/openldap-2.4.31/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=argyle, r=0 53923fb1 daemon_init: <null> 53923fb1 daemon_init: listen on ldap:/// 53923fb1 daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) 53923fb1 daemon: listener initialized ldap:/// 53923fb1 daemon_init: 2 listeners opened ldap_create 53923fb1 slapd init: initiated server.
[...]
53923ffe connection_read(12): unable to get TLS client DN, error=49 id=1000 53923ffe conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 53923ffe daemon: activity on 1 descriptor 53923ffe daemon: activity on:53923ffe 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero 53923ffe daemon: activity on 1 descriptor 53923ffe daemon: activity on:53923ffe 12r53923ffe 53923ffe daemon: read active on 12 53923ffe connection_get(12) 53923ffe connection_get(12): got connid=1000 53923ffe connection_read(12): checking for input on id=1000 ber_get_next tls_read: want=5, got=5 0000: 30 33 02 01 02 03... ldap_read: want=8 error=Success 53923ffe ber_get_next on fd 12 failed errno=0 (Success) 53923ffe connection_read(12): input error=-2 id=1000, closing. 53923ffe connection_closing: readying conn=1000 sd=12 for close 53923ffe connection_close: conn=1000 sd=12 53923ffe daemon: removing 12 tls_write: want=53, written=53 0000: 15 03 03 00 30 c2 bb c0 ae 12 fa 04 27 45 11 6e ....0.......'E.n 0010: d7 08 20 97 49 59 0b 35 c5 77 2d b5 65 a0 97 a4 .. .IY.5.w-.e... 0020: b0 3a eb aa b1 e7 71 8b 3e 0c 73 60 e3 9b 66 8c .:....q.>.s`..f. 0030: f8 94 e0 c6 50 ....P 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero 53923ffe daemon: activity on 1 descriptor 53923ffe daemon: activity on:53923ffe 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero 53923ffe conn=1000 fd=12 closed (connection lost)
As you can see, the server declares the TLS established, then tries to read something, receives 5 bytes which indicates the ldap protocol (I believe), then comes the part I can't decode:
ldap_read: want=8 error=Success 53923ffe ber_get_next on fd 12 failed errno=0 (Success) 53923ffe connection_read(12): input error=-2 id=1000, closing.
What's with the "failed errno=0" and why does the server close the connection? What should I change in the config to make it work? If you need any more information I'll provide it - I selected the part that seemed relevant to me.
Thank a lot for any ideas, Andrei
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921#25 [2] http://www.gnutls.org/manual/html_node/certtool-Invocation.html