Hi all,
I'm using openldap-2.4.31 compiled with gnutls25 on Rapsbmc (pre-compiled by the distribution) and I'm trying to make ldap+StartTls work with ldapsearch (simple ldap:// works like a charm).
After hitting the issue described at [1] , I've decided to use a self-signed CA cert generated with certtool, as described in [2]. This allowed me to establish the TLS connection. However, the client still sends the bind in clear text, then the server closes the connection.
The slapd.conf file is below (comments stripped; the client has the same CACert and cipher suites):
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -1
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
TLSCACertificateFile /etc/ldap/certs/selfsign/ca-cert.pem
TLSCertificateKeyFile /etc/ldap/certs/selfsign/key.pem
TLSCertificateFile /etc/ldap/certs/selfsign/cert.pem
TLSCipherSuite NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-ALL:+AES-256-CBC:+CAMELLIA-256-CBC:+RSA:+SHA1:+SHA256
TLSVerifyClient never
The client output:
root@argyle:/home/pi# ldapsearch -x -H ldap://127.0.0.1 -Z -b 'dc=strainu,dc=ro' -Dcn=admin,dc=strainu,dc=ro -w bla
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
ldap_result: Can't contact LDAP server (-1)
And finally the server output:
root@argyle:/etc/ldap# /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d -1
53923fb1 @(#) $OpenLDAP: slapd (Apr 24 2013 17:35:25) $
buildd@build07.raspbian.lan:/build/openldap-nxJLrU/openldap-2.4.31/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=argyle, r=0
53923fb1 daemon_init: <null>
53923fb1 daemon_init: listen on ldap:///
53923fb1 daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
53923fb1 daemon: listener initialized ldap:///
53923fb1 daemon_init: 2 listeners opened
ldap_create
53923fb1 slapd init: initiated server.
[...]
53923ffe connection_read(12): unable to get TLS client DN, error=49 id=1000
53923ffe conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
53923ffe daemon: activity on 1 descriptor
53923ffe daemon: activity on:53923ffe
53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
53923ffe daemon: activity on 1 descriptor
53923ffe daemon: activity on:53923ffe 12r53923ffe
53923ffe daemon: read active on 12
53923ffe connection_get(12)
53923ffe connection_get(12): got connid=1000
53923ffe connection_read(12): checking for input on id=1000
ber_get_next
tls_read: want=5, got=5
0000: 30 33 02 01 02 03...
ldap_read: want=8 error=Success
53923ffe ber_get_next on fd 12 failed errno=0 (Success)
53923ffe connection_read(12): input error=-2 id=1000, closing.
53923ffe connection_closing: readying conn=1000 sd=12 for close
53923ffe connection_close: conn=1000 sd=12
53923ffe daemon: removing 12
tls_write: want=53, written=53
0000: 15 03 03 00 30 c2 bb c0 ae 12 fa 04 27 45 11 6e ....0.......'E.n
0010: d7 08 20 97 49 59 0b 35 c5 77 2d b5 65 a0 97 a4 .. .IY.5.w-.e...
0020: b0 3a eb aa b1 e7 71 8b 3e 0c 73 60 e3 9b 66 8c .:....q.>.s`..f.
0030: f8 94 e0 c6 50 ....P
53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
53923ffe daemon: activity on 1 descriptor
53923ffe daemon: activity on:53923ffe
53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero
53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero
53923ffe conn=1000 fd=12 closed (connection lost)
As you can see, the server declares the TLS established, then tries to read something, receives 5 bytes which indicates the ldap protocol (I believe), then comes the part I can't decode:
ldap_read: want=8 error=Success
53923ffe ber_get_next on fd 12 failed errno=0 (Success)
53923ffe connection_read(12): input error=-2 id=1000, closing.
What's with the "failed errno=0" and why does the server close the connection? What should I change in the config to make it work? If you need any more information I'll provide it - I selected the part that seemed relevant to me.
Thank a lot for any ideas,
Andrei
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921#25
[2] http://www.gnutls.org/manual/html_node/certtool-Invocation.html