Hi All,
I am trying to debug an issue related to Chef-manage WebUI trying to authenticate users using LDAP. Authentication was working fine but after upgrading the LDAP server to the latest version of the OS we are getting authentication failures below are the errors showing in the log
Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14) Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14): got connid=1003 Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): checking for input on id=1003 Jul 13 20:26:52 ldap.local slapd[18572]: op tag 0x77, time 1657744012 Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 do_extended Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 13 20:26:52 ldap.local slapd[18572]: do_extended: oid=1.3.6.1.4.1.1466.20037 Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 STARTTLS Jul 13 20:26:52 ldap.local slapd[18572]: send_ldap_extended: err=0 oid= len=0 Jul 13 20:26:52 ldap.local slapd[18572]: send_ldap_response: msgid=0 tag=120 err=0 Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 RESULT oid= err=0 text= Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on: Jul 13 20:26:52 ldap.local slapd[18572]: Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on: Jul 13 20:26:52 ldap.local slapd[18572]: 14r Jul 13 20:26:52 ldap.local slapd[18572]: Jul 13 20:26:52 ldap.local slapd[18572]: daemon: read active on 14 Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=11 active_threads=0 tvp=NULL Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14) Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14): got connid=1003 Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): checking for input on id=1003 Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): TLS accept failure error=-1 id=1003, closing Jul 13 20:26:52 ldap.local slapd[18572]: connection_closing: readying conn=1003 sd=14 for close Jul 13 20:26:52 ldap.local slapd[18572]: connection_close: conn=1003 sd=14 Jul 13 20:26:52 ldap.local slapd[18572]: =>ldap_back_conn_destroy: fetching conn 1003 Jul 13 20:26:52 ldap.local slapd[18572]: daemon: removing 14 Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 fd=14 closed (TLS negotiation failure) Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on::
We are not seeing the error while connecting to OpenLDAP servers using OpenSSL or LDAP client tools. How can we debug further to see why the server was not able to complete TLS negotiation?
Package versions are
openldap-2.4.44-25.el7_9.x86_64 openssl-1.0.2k-25.el7_9.x86_64 kernel-3.10.0-1160.66.1.el7.x86_64
Regards, Aravind M D