Hey guys,
I have these options set for SSL in my cn=config setup:
[root@ldap1:~] #ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config|grep ssl SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key
And I want to change the settings to the contents of this ldif file:
[root@ldap1:~] #cat addcerts.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/CA/certs/ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/ldap1.example.com.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap1.example.com.key
But when I try to do that I get an error:
[root@ldap1:~] #ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Segmentation fault (core dumped)
I wonder if I could be running low on memory:
[root@ldap1:~] #free -m total used free shared buffers cached Mem: 992 815 177 10 140 445 -/+ buffers/cache: 229 762 Swap: 0 0 0
Could this be causing the error? How can I make this change without encountering the segmentation fault?
Thanks, Tim
Hi Tim,
On Wed, Dec 23, 2015 at 05:43:56PM -0500, Tim Dunphy wrote:
[root@ldap1:~] #ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Segmentation fault (core dumped)
Which version of OpenLDAP is this? Did you build it yourself, or is it from packages supplied by your operating system vendor? Which TLS library is it linked against? Can you provide a gdb backtrace including debug symbols?
If you can reproduce this with the current OpenLDAP version (2.4.43), built from source and linked with OpenSSL, please file a report in the ITS http://openldap.org/ITS.
Which version of OpenLDAP is this? Did you build it yourself, or is it from packages supplied by your operating system vendor? Which TLS library is it linked against? Can you provide a gdb backtrace including debug symbols? If you can reproduce this with the current OpenLDAP version (2.4.43), built from source and linked with OpenSSL, please file a report in the ITS < http://openldap.org/ITS%3E.
Hi Ryan,
I'm using version 2.4.31. And I installed it through the ubuntu package manger (apt-get).
[root@ldap1:~] #slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $ buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd
This is the version of OpenSSL I have installed:
[root@ldap1:~] #apt-cache policy openssl openssl: Installed: 1.0.1f-1ubuntu2.15 Candidate: 1.0.1f-1ubuntu2.16 Version table: 1.0.1f-1ubuntu2.16 0 500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages *** 1.0.1f-1ubuntu2.15 0 100 /var/lib/dpkg/status 1.0.1f-1ubuntu2 0 500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Sorry but I'm having some trouble providing a backtrace due to the complexity of the ldap command. This is all I get:
[root@ldap1:~] #gdb ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif 2>&1 |tee ~/gdb-ldapmodify.txt gdb: unrecognized option '-H' Use `gdb --help' for a complete list of options.
Or
[root@ldap1:~] #gdb 'ldapmodify -H ldapi:// -Y EXTERNAL -f' addcerts.ldif 2>&1 |tee ~/gdb-ldapmodify.txt GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... ldapmodify -H ldapi:// -Y EXTERNAL -f: No such file or directory. "/root/addcerts.ldif" is not a core dump: File format not recognized (gdb)
Wish I could be of more help answering the question!
On Wed, Dec 23, 2015 at 5:49 PM, Ryan Tandy ryan@nardis.ca wrote:
Hi Tim,
On Wed, Dec 23, 2015 at 05:43:56PM -0500, Tim Dunphy wrote:
[root@ldap1:~] #ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Segmentation fault (core dumped)
Which version of OpenLDAP is this? Did you build it yourself, or is it from packages supplied by your operating system vendor? Which TLS library is it linked against? Can you provide a gdb backtrace including debug symbols?
If you can reproduce this with the current OpenLDAP version (2.4.43), built from source and linked with OpenSSL, please file a report in the ITS < http://openldap.org/ITS%3E.
On Wed, Dec 23, 2015 at 08:55:13PM -0500, Tim Dunphy wrote:
I'm using version 2.4.31. And I installed it through the ubuntu package manger (apt-get).
[root@ldap1:~] #slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $ buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd
Thanks. This package is linked with GnuTLS, not OpenSSL.
I don't have an Ubuntu install handy, but on Debian 7 (wheezy), which also ships 2.4.31, I get:
modifying entry "cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
My suggestion is: when replacing the values, either delete the existing values before adding the new ones, or use 'replace:' instead of 'add:' to have that done for you.
If you have the time, I would also be interested to know whether you encounter the same segfault using Ubuntu 15.10, or the 14.04 backport from my PPA:
https://launchpad.net/~rtandy/+archive/ubuntu/openldap-backports
Sorry but I'm having some trouble providing a backtrace due to the complexity of the ldap command.
I just realized it wouldn't be much help anyway, since the packages you have installed don't include debug symbols for the ldap* clients, but for the record, appropriate commands would have been:
apt-get install libldap-2.4-2-dbg gdb --args ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
Possibly its#7477
On Dec 23, 2015, at 7:14 PM, Ryan Tandy ryan@nardis.ca wrote:
On Wed, Dec 23, 2015 at 08:55:13PM -0500, Tim Dunphy wrote: I'm using version 2.4.31. And I installed it through the ubuntu package manger (apt-get).
[root@ldap1:~] #slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Sep 15 2015 18:19:13) $ buildd@lgw01-53 :/build/openldap-2QUgtL/openldap-2.4.31/debian/build/servers/slapd
Thanks. This package is linked with GnuTLS, not OpenSSL.
I don't have an Ubuntu install handy, but on Debian 7 (wheezy), which also ships 2.4.31, I get:
modifying entry "cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
My suggestion is: when replacing the values, either delete the existing values before adding the new ones, or use 'replace:' instead of 'add:' to have that done for you.
If you have the time, I would also be interested to know whether you encounter the same segfault using Ubuntu 15.10, or the 14.04 backport from my PPA:
https://launchpad.net/~rtandy/+archive/ubuntu/openldap-backports
Sorry but I'm having some trouble providing a backtrace due to the complexity of the ldap command.
I just realized it wouldn't be much help anyway, since the packages you have installed don't include debug symbols for the ldap* clients, but for the record, appropriate commands would have been:
apt-get install libldap-2.4-2-dbg gdb --args ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Ryan Tandy -
Tim Dunphy