Hello,
Our main OpenLDAP Server (running on CentOS 7) has been working fine with 2.4.58.
Since yesterday, after a (minor, see at the end) OS upgrade which included an update to LTB Openldap 2.4.59, SSL clients see:
# ldapwhoami -H ldaps://ldap.noa.gr:636 -x ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
In the log I see, for example:
Oct 21 17:10:58 ldap slapd[18532]: conn=1170 fd=18 ACCEPT from IP=195.251.xxx.xxx:44016 (IP=0.0.0.0:389) Oct 21 17:10:58 ldap slapd[18532]: conn=1170 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 21 17:10:58 ldap slapd[18532]: conn=1170 op=0 STARTTLS Oct 21 17:10:58 ldap slapd[18532]: conn=1170 op=0 RESULT oid= err=0 text= Oct 21 17:10:58 ldap slapd[18532]: conn=1170 fd=18 closed (TLS negotiation failure) ... Oct 21 17:11:34 ldap slapd[18532]: conn=1172 fd=18 ACCEPT from IP=[2001:648:2011:xxxx::xxxx]:52018 (IP=[::]:636) Oct 21 17:11:34 ldap slapd[18532]: conn=1172 fd=18 TLS established tls_ssf=256 ssf=256 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=0 BIND dn="uid=full,ou=sys,dc=noa,dc=gr" method=128 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=0 BIND dn="uid=Full,ou=sys,dc=noa,dc=gr" mech=SIMPLE ssf=0 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=0 RESULT tag=97 err=0 text= Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 SRCH base="dc=noa,dc=gr" scope=2 deref=0 filter="(objectClass=*)" Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 SRCH attr=* + Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_op_search: got a persistent search with a cookie=rid=601,csn=20200910151806.461875Z#000000#000#000000 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_findbase: searching Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_op_search: registered persistent search Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_findcsn: mode=FIND_CSN csn=20200910151806.461875Z#000000#000#000000 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_findcsn: csn==20200910151806.461875Z#000000#000#000000 not found Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_findcsn: csn<=20200910151806.461875Z#000000#000#000000 found Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_findcsn: mode=FIND_PRESENT csn= Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_sendinfo: present syncIdSet cookie= Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 INTERM oid=1.3.6.1.4.1.4203.1.9.1.4 Oct 21 17:11:34 ldap slapd[18532]: conn=1172 op=1 syncprov_sendinfo: present syncIdSet cookie= ... Oct 21 17:11:34 ldap slapd[18532]: send_search_entry: conn 1172 ber write failed. Oct 21 17:11:34 ldap slapd[18532]: conn=1172 fd=18 closed (connection lost on write) Oct 21 17:11:34 ldap slapd[18532]: connection_read(18): no connection! Oct 21 17:11:34 ldap slapd[18532]: connection_read(18): no connection! Oct 21 17:11:34 ldap slapd[18532]: connection_read(18): no connection! Oct 21 17:11:34 ldap slapd[18532]: connection_read(18): no connection! <many more entries like this> ...
Oct 21 17:11:34 ldap slapd[18532]: conn=1173 fd=18 ACCEPT from IP=[2001:648:2011:xxxx::xxxx]:33466 (IP=[::]:636) Oct 21 17:11:34 ldap slapd[18532]: conn=1173 fd=18 closed (TLS negotiation failure)
Is there some settings change in 2.4.59 or something is getting wrong?
My settings:
olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/certs/priv.crt olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSCertificateFile: /usr/local/openldap/etc/openldap/certs/cert.crt olcTLSCACertificateFile: /usr/local/openldap/etc/openldap/certs/GeantCA.crt
I also tried:
olcTLSCipherSuite: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
without success.
Interestingly, I can see random successes like:
Oct 21 17:28:55 ldap slapd[18532]: conn=1317 fd=19 ACCEPT from IP=[2001:648:2011:xxxx::xxxx]:47206 (IP=[::]:636) Oct 21 17:28:55 ldap slapd[18532]: conn=1317 fd=19 TLS established tls_ssf=256 ssf=256 Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=0 BIND dn="uid=auth,ou=sys,dc=noa,dc=gr" method=128 Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=0 BIND dn="uid=auth,ou=sys,dc=noa,dc=gr" mech=SIMPLE ssf=0 Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=0 RESULT tag=97 err=0 text= Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=1 SRCH base="ou=people,dc=noa,dc=gr" scope=2 deref=0 filter="(&(&(objectClass=inetOrgPerson)(!(schacUserStatus=internal)))(|(mail=jackie@noa.g r)))" Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=1 SRCH attr=cn sn givenname title mail telephonenumber o ou;lang-en-us objectClass Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=1 ENTRY dn="uid=jackie,ou=people,dc=noa,dc=gr" Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 21 17:28:55 ldap slapd[18532]: conn=1317 op=2 UNBIND Oct 21 17:28:55 ldap slapd[18532]: conn=1317 fd=19 close ... Oct 21 17:31:54 ldap slapd[18532]: conn=1347 fd=19 ACCEPT from IP=[2001:648:2011:xxxx::xxxx]:35456 (IP=[::]:389) Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=0 STARTTLS Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=0 RESULT oid= err=0 text= Oct 21 17:31:54 ldap slapd[18532]: conn=1347 fd=19 TLS established tls_ssf=256 ssf=256 Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=1 BIND dn="uid=auth,ou=sys,dc=noa,dc=gr" method=128 Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=1 BIND dn="uid=auth,ou=sys,dc=noa,dc=gr" mech=SIMPLE ssf=0 Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=1 RESULT tag=97 err=0 text= Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=2 SRCH base="ou=people,dc=noa,dc=gr" scope=2 deref=0 filter="(uid=gate)" Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory loginShell Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=2 ENTRY dn="uid=gate,ou=webad,ou=people,dc=noa,dc=gr" Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 21 17:31:54 ldap slapd[18532]: conn=1347 op=3 UNBIND Oct 21 17:31:54 ldap slapd[18532]: conn=1347 fd=19 closed
then failures start again, esp. when SYNCRPOV sessions take place (we have 4 SYNCRPOV consumers).
Latest updates (from /var/log/yum.log):
Oct 20 21:54:24 Updated: 1:grub2-common-2.02-0.87.el7.centos.7.noarch Oct 20 21:54:24 Updated: 32:bind-license-9.11.4-26.P2.el7_9.7.noarch Oct 20 21:54:24 Updated: 1:grub2-pc-modules-2.02-0.87.el7.centos.7.noarch Oct 20 21:54:25 Updated: libX11-common-1.6.7-4.el7_9.noarch Oct 20 21:54:26 Updated: kernel-headers-3.10.0-1160.45.1.el7.x86_64 Oct 20 21:54:28 Updated: ca-certificates-2021.2.50-72.el7_9.noarch Oct 20 21:54:29 Updated: tzdata-2021c-1.el7.noarch Oct 20 21:54:30 Updated: nss-softokn-freebl-3.67.0-3.el7_9.x86_64 Oct 20 21:54:36 Updated: glibc-common-2.17-325.el7_9.x86_64 Oct 20 21:54:38 Updated: glibc-2.17-325.el7_9.x86_64 Oct 20 21:54:39 Updated: nspr-4.32.0-1.el7_9.x86_64 Oct 20 21:54:39 Updated: nss-util-3.67.0-1.el7_9.x86_64 Oct 20 21:54:40 Updated: 1:openssl-libs-1.0.2k-22.el7_9.x86_64 Oct 20 21:54:41 Updated: 1:grub2-tools-minimal-2.02-0.87.el7.centos.7.x86_64 Oct 20 21:54:41 Updated: libX11-1.6.7-4.el7_9.x86_64 Oct 20 21:54:41 Updated: gd-last-2.3.3-2.el7.remi.x86_64 Oct 20 21:54:43 Updated: 32:bind-libs-lite-9.11.4-26.P2.el7_9.7.x86_64 Oct 20 21:54:43 Updated: nss-softokn-3.67.0-3.el7_9.x86_64 Oct 20 21:54:44 Updated: nss-sysinit-3.67.0-3.el7_9.x86_64 Oct 20 21:54:44 Updated: nss-3.67.0-3.el7_9.x86_64 Oct 20 21:54:45 Updated: rpm-4.11.3-46.el7_9.x86_64 Oct 20 21:54:45 Updated: rpm-libs-4.11.3-46.el7_9.x86_64 Oct 20 21:54:46 Updated: 1:grub2-tools-2.02-0.87.el7.centos.7.x86_64 Oct 20 21:54:47 Updated: 1:grub2-tools-extra-2.02-0.87.el7.centos.7.x86_64 Oct 20 21:54:47 Updated: 1:grub2-pc-2.02-0.87.el7.centos.7.x86_64 Oct 20 21:54:47 Updated: rpm-build-libs-4.11.3-46.el7_9.x86_64 Oct 20 21:54:47 Updated: nss-tools-3.67.0-3.el7_9.x86_64 Oct 20 21:54:48 Updated: openldap-2.4.44-24.el7_9.x86_64 Oct 20 21:54:48 Updated: 12:dhcp-libs-4.2.5-83.el7.centos.1.x86_64 Oct 20 21:54:48 Updated: 12:dhcp-common-4.2.5-83.el7.centos.1.x86_64 Oct 20 21:54:49 Updated: 32:bind-libs-9.11.4-26.P2.el7_9.7.x86_64 Oct 20 21:54:50 Updated: 32:bind-export-libs-9.11.4-26.P2.el7_9.7.x86_64 Oct 20 21:54:50 Updated: httpd-tools-2.4.6-97.el7.centos.1.x86_64 Oct 20 21:54:52 Updated: httpd-2.4.6-97.el7.centos.1.x86_64 Oct 20 21:54:54 Updated: 1:openssl-devel-1.0.2k-22.el7_9.x86_64 Oct 20 21:54:56 Updated: 1:openssl-1.0.2k-22.el7_9.x86_64 Oct 20 21:54:56 Updated: oniguruma5php-6.9.7.1-1.el7.remi.x86_64 Oct 20 21:54:56 Updated: gssproxy-0.7.0-30.el7_9.x86_64 Oct 20 21:54:57 Installed: libzstd-1.5.0-1.el7.x86_64 Oct 20 21:54:57 Updated: libzip5-1.8.0-2.el7.remi.x86_64 Oct 20 21:55:00 Updated: kernel-tools-libs-3.10.0-1160.45.1.el7.x86_64 Oct 20 21:55:01 Updated: glibc-headers-2.17-325.el7_9.x86_64 Oct 20 21:55:05 Installed: libicu69-69.1-2.el7.remi.x86_64 Oct 20 21:55:07 Updated: epel-release-7-14.noarch Oct 20 21:55:08 Updated: remi-release-7.9-2.el7.remi.noarch Oct 20 21:55:10 Updated: glibc-devel-2.17-325.el7_9.x86_64 Oct 20 21:55:12 Updated: kernel-tools-3.10.0-1160.45.1.el7.x86_64 Oct 20 21:55:25 Updated: 1:nfs-utils-1.3.0-0.68.el7.2.x86_64 Oct 20 21:55:26 Updated: 1:mod_ssl-2.4.6-97.el7.centos.1.x86_64 Oct 20 21:55:30 Updated: 12:dhclient-4.2.5-83.el7.centos.1.x86_64 Oct 20 21:55:33 Updated: 32:bind-utils-9.11.4-26.P2.el7_9.7.x86_64 Oct 20 21:55:36 Updated: openldap-ltb-2.4.59-1.el7.x86_64 Oct 20 21:55:37 Updated: sudo-1.8.23-10.el7_9.2.x86_64 Oct 20 21:55:38 Updated: rpm-python-4.11.3-46.el7_9.x86_64 Oct 20 21:55:39 Updated: 1:grub2-2.02-0.87.el7.centos.7.x86_64 Oct 20 21:55:40 Updated: rsyslog-8.24.0-57.el7_9.1.x86_64 Oct 20 21:55:40 Updated: kpartx-0.4.9-135.el7_9.x86_64 Oct 20 21:56:00 Updated: 2:microcode_ctl-2.1-73.11.el7_9.x86_64 Oct 20 21:56:01 Updated: kexec-tools-2.0.15-51.el7_9.3.x86_64 Oct 20 21:56:01 Updated: unzip-6.0-22.el7_9.x86_64 Oct 20 21:56:02 Updated: virt-what-1.18-4.el7_9.1.x86_64 Oct 20 21:56:04 Updated: glib2-2.56.1-9.el7_9.x86_64 Oct 20 21:56:05 Updated: python-perf-3.10.0-1160.45.1.el7.x86_64 Oct 20 21:56:30 Installed: kernel-3.10.0-1160.45.1.el7.x86_64 Oct 20 21:56:32 Updated: openldap-ltb-debuginfo-2.4.59-1.el7.x86_64
Please advise.
Would you suggest an openldap downgrade to 2.4.58 and/or to openssl-1.0.2k-21?
Any other ideas?
Nick
Nick Milas wrote:
Hello,
Our main OpenLDAP Server (running on CentOS 7) has been working fine with 2.4.58.
Since yesterday, after a (minor, see at the end) OS upgrade which included an update to LTB Openldap 2.4.59, SSL clients see:
# ldapwhoami -H ldaps://ldap.noa.gr:636 -x ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Run ldapwhoami with -d -1. Also run slapd with -d -1.
Thank you for the reply:
Here it is:
# ldapwhoami -H ldaps://ldap.noa.gr:636 -x -d -1 ldap_url_parse_ext(ldaps://ldap.noa.gr:636) ldap_create ldap_url_parse_ext(ldaps://ldap.noa.gr:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.noa.gr:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 2001:648:2011:10::234 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization tls_write: want=289, written=289 0000: 16 03 01 01 1c 01 00 01 18 03 03 18 6f 98 e6 4e ............o..N 0010: cb a4 18 3c d7 ea 88 43 1d 28 de ef 3c d9 a0 5a ...<...C.(..<..Z 0020: 8b a4 cb a1 eb 4b be 96 7f 5a 78 00 00 ac c0 30 .....K...Zx....0 0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$.......... 0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7 0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...* 0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../ 0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#.......... 0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1 0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C 00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%...... 00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........ 00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................ 00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C.. 00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................ 00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... .... 0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................ 0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................ 0120: 01 . TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 16 03 03 00 3a 02 00 ....:.. tls_read: want=56, got=56 0000: 00 36 03 03 0b 75 dd 97 fc f5 46 4d 2c ec d5 a5 .6...u....FM,... 0010: 8b af e0 e1 df 40 58 d1 15 96 12 27 70 24 d7 24 .....@X....'p$.$ 0020: 30 5d 7d ed 00 00 9d 00 00 0e ff 01 00 01 00 00 0]}............. 0030: 23 00 00 00 0f 00 01 01 #....... TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 0000: 16 03 03 08 8c ..... tls_read: want=2188, got=2188 0000: 0b 00 08 88 00 08 85 00 08 82 30 82 08 7e 30 82 ..........0..~0. 0010: 06 66 a0 03 02 01 02 02 11 00 93 7d a9 90 df b3 .f.........}.... 0020: 39 42 b7 c4 88 39 d4 c6 c7 10 30 0d 06 09 2a 86 9B...9....0...*. 0030: 48 86 f7 0d 01 01 0c 05 00 30 44 31 0b 30 09 06 H........0D1.0.. 0040: 03 55 04 06 13 02 4e 4c 31 19 30 17 06 03 55 04 .U....NL1.0...U. 0050: 0a 13 10 47 45 41 4e 54 20 56 65 72 65 6e 69 67 ...GEANT Verenig 0060: 69 6e 67 31 1a 30 18 06 03 55 04 03 13 11 47 45 ing1.0...U....GE 0070: 41 4e 54 20 4f 56 20 52 53 41 20 43 41 20 34 30 ANT OV RSA CA 40 0080: 1e 17 0d 32 31 30 38 32 30 30 30 30 30 30 30 5a ...210820000000Z 0090: 17 0d 32 32 30 38 32 30 32 33 35 39 35 39 5a 30 ..220820235959Z0 00a0: 70 31 0b 30 09 06 03 55 04 06 13 02 47 52 31 10 p1.0...U....GR1. 00b0: 30 0e 06 03 55 04 08 0c 07 41 74 74 69 6b c3 ad 0...U....Attik.. 00c0: 31 0f 30 0d 06 03 55 04 07 13 06 41 74 68 65 6e 1.0...U....Athen 00d0: 73 31 27 30 25 06 03 55 04 0a 13 1e 4e 61 74 69 s1'0%..U....Nati 00e0: 6f 6e 61 6c 20 4f 62 73 65 72 76 61 74 6f 72 79 onal Observatory 00f0: 20 6f 66 20 41 74 68 65 6e 73 31 15 30 13 06 03 of Athens1.0... 0100: 55 04 03 13 0c 6c 64 61 70 31 2e 6e 6f 61 2e 67 U....ldap1.noa.g 0110: 72 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 r0.."0...*.H.... 0120: 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 .........0...... 0130: 01 00 ae 7f b9 26 59 5c 79 c8 c5 cb a2 dd fa 81 .....&Y\y....... 0140: d9 04 5a 86 07 e9 64 bd 2e 8a 72 ab d8 27 43 a8 ..Z...d...r..'C. 0150: 6c 90 4f 18 88 ab 1b 9f 47 84 1f 23 28 85 ba 0c l.O.....G..#(... 0160: a4 18 3a 0c 81 dc 51 78 2a 66 22 fb 96 e8 81 eb ..:...Qx*f"..... 0170: 57 1a 98 dc 44 f2 96 9b 36 b6 ab 35 d1 ae af de W...D...6..5.... 0180: 84 84 47 b4 93 82 17 44 b4 83 d3 9c 16 0a 05 37 ..G....D.......7 0190: a6 50 3a f2 5e 72 d7 34 63 28 db 1d 4e 60 d8 db .P:.^r.4c(..N`.. 01a0: 21 1b 91 74 b5 16 6b d2 fe 2a 00 74 a8 1e b9 6b !..t..k..*.t...k 01b0: 1c 0e 5d 7e 14 1b aa 2e 50 9d fa c4 45 3f d1 97 ..]~....P...E?.. 01c0: 06 a8 ba c2 00 ee 07 d3 f9 45 59 3a b9 95 b2 4b .........EY:...K 01d0: de fb 1e 35 c4 94 a4 3b b3 68 b9 14 52 a9 2a dc ...5...;.h..R.*. 01e0: 1a e2 a8 95 86 b7 15 22 78 a5 30 27 39 e9 f6 a7 ......."x.0'9... 01f0: e8 e1 ee f2 89 fa df 49 06 7f 6d c3 d0 43 7e 7f .......I..m..C~. 0200: 8f ef 2f 05 84 52 f3 55 19 fd 20 0c f2 fd 68 93 ../..R.U.. ...h. 0210: 78 d6 a4 85 0e 56 86 6f 81 82 8d 1b 4f 40 fa e2 x....V.o....O@.. 0220: 56 13 84 9d c6 f5 ca d7 49 8d 6f 7b 85 4f 93 6f V.......I.o{.O.o 0230: cd 62 9a 67 3b fc 6a 78 37 10 b6 40 b0 2c c6 6a .b.g;.jx7..@.,.j 0240: 73 c0 a0 26 8e 31 e2 25 47 29 e2 89 45 ae f0 ac s..&.1.%G)..E... 0250: 98 7b 41 9e c9 1b 0d 8b ac 2a 2f fd 85 2a fc 7a .{A......*/..*.z 0260: 56 4a bf 0c 74 51 be da ba 69 da 28 32 7e 3c 1c VJ..tQ...i.(2~<. 0270: 92 b9 a8 e3 24 9d 08 ad 15 9b 7a dc 4d 01 97 95 ....$.....z.M... 0280: 75 40 38 e2 52 b8 61 46 e3 d6 d6 65 2c 8b 5b 40 u@8.R.aF...e,.[@ 0290: 0b dc 7d fd f2 52 28 0f 40 94 f0 13 b6 f3 4a 3e ..}..R(.@.....J> 02a0: d8 d2 aa 5a 63 44 12 9b ab ea bf d8 25 0f bf 6f ...ZcD......%..o 02b0: d7 b8 8c fe 06 60 f3 50 da 08 5d d8 ca 4e 5e 7c .....`.P..]..N^| 02c0: 82 1e 10 35 22 5a b3 53 66 10 05 be 9a 3f df 57 ...5"Z.Sf....?.W 02d0: d3 9f 9a a2 12 ff a4 b5 c0 7b f2 d2 5b d7 24 8c .........{..[.$. 02e0: 9d 96 7c 1c 72 c6 5c 69 89 4e 0c f5 f0 53 a5 2c ..|.r.\i.N...S., 02f0: 67 cf c4 5a 32 dd a8 c4 24 ba 17 9a 4c 3b 62 6b g..Z2...$...L;bk 0300: 3b 77 ec 7d 24 e9 14 1b 1a d3 7c e5 22 9a df d7 ;w.}$.....|."... 0310: 00 ba 6a 34 7f 58 c3 db fc ae 59 a1 b8 72 9b 37 ..j4.X....Y..r.7 0320: 25 2f 87 b6 6a 74 a8 c8 dc 35 21 4f d6 70 18 21 %/..jt...5!O.p.! 0330: 77 df 02 03 01 00 01 a3 82 03 3d 30 82 03 39 30 w.........=0..90 0340: 1f 06 03 55 1d 23 04 18 30 16 80 14 6f 1d 35 49 ...U.#..0...o.5I 0350: 10 6c 32 fa 59 a0 9e bc 8a e8 1f 95 be 71 7a 0c .l2.Y........qz. 0360: 30 1d 06 03 55 1d 0e 04 16 04 14 77 82 ee 7e 11 0...U......w..~. 0370: 04 87 18 01 19 95 1e 11 70 db fd a9 67 55 2d 30 ........p...gU-0 0380: 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 ...U...........0 0390: 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 1d 06 ...U.......0.0.. 03a0: 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 .U.%..0...+..... 03b0: 03 01 06 08 2b 06 01 05 05 07 03 02 30 49 06 03 ....+.......0I.. 03c0: 55 1d 20 04 42 30 40 30 34 06 0b 2b 06 01 04 01 U. .B0@04..+.... 03d0: b2 31 01 02 02 4f 30 25 30 23 06 08 2b 06 01 05 .1...O0%0#..+... 03e0: 05 07 02 01 16 17 68 74 74 70 73 3a 2f 2f 73 65 ......https://se 03f0: 63 74 69 67 6f 2e 63 6f 6d 2f 43 50 53 30 08 06 ctigo.com/CPS0.. 0400: 06 67 81 0c 01 02 02 30 3f 06 03 55 1d 1f 04 38 .g.....0?..U...8 0410: 30 36 30 34 a0 32 a0 30 86 2e 68 74 74 70 3a 2f 0604.2.0..http:/ 0420: 2f 47 45 41 4e 54 2e 63 72 6c 2e 73 65 63 74 69 /GEANT.crl.secti 0430: 67 6f 2e 63 6f 6d 2f 47 45 41 4e 54 4f 56 52 53 go.com/GEANTOVRS 0440: 41 43 41 34 2e 63 72 6c 30 75 06 08 2b 06 01 05 ACA4.crl0u..+... 0450: 05 07 01 01 04 69 30 67 30 3a 06 08 2b 06 01 05 .....i0g0:..+... 0460: 05 07 30 02 86 2e 68 74 74 70 3a 2f 2f 47 45 41 ..0...http://GEA 0470: 4e 54 2e 63 72 74 2e 73 65 63 74 69 67 6f 2e 63 NT.crt.sectigo.c 0480: 6f 6d 2f 47 45 41 4e 54 4f 56 52 53 41 43 41 34 om/GEANTOVRSACA4 0490: 2e 63 72 74 30 29 06 08 2b 06 01 05 05 07 30 01 .crt0)..+.....0. 04a0: 86 1d 68 74 74 70 3a 2f 2f 47 45 41 4e 54 2e 6f ..http://GEANT.o 04b0: 63 73 70 2e 73 65 63 74 69 67 6f 2e 63 6f 6d 30 csp.sectigo.com0 04c0: 82 01 7e 06 0a 2b 06 01 04 01 d6 79 02 04 02 04 ..~..+.....y.... 04d0: 82 01 6e 04 82 01 6a 01 68 00 77 00 46 a5 55 eb ..n...j.h.w.F.U. 04e0: 75 fa 91 20 30 b5 a2 89 69 f4 f3 7d 11 2c 41 74 u.. 0...i..}.,At 04f0: be fd 49 b8 85 ab f2 fc 70 fe 6d 47 00 00 01 7b ..I.....p.mG...{ 0500: 64 a7 b0 14 00 00 04 03 00 48 30 46 02 21 00 9b d........H0F.!.. 0510: 56 73 ce 1b 17 33 80 20 4d e5 4f d2 be a2 5d 35 Vs...3. M.O...]5 0520: 33 36 d0 14 8c db 33 55 2d 7b 1d d3 62 ad f7 02 36....3U-{..b... 0530: 21 00 e9 10 ff 14 71 31 ec 71 83 70 ae 06 4f da !.....q1.q.p..O. 0540: 17 9f c4 56 aa e5 f6 fc f6 b6 f3 a7 f9 9d f7 11 ...V............ 0550: 7d e8 00 76 00 41 c8 ca b1 df 22 46 4a 10 c6 a1 }..v.A...."FJ... 0560: 3a 09 42 87 5e 4e 31 8b 1b 03 eb eb 4b c7 68 f0 :.B.^N1.....K.h. 0570: 90 62 96 06 f6 00 00 01 7b 64 a7 b1 23 00 00 04 .b......{d..#... 0580: 03 00 47 30 45 02 20 20 57 7a 5e 8d eb 75 03 39 ..G0E. Wz^..u.9 0590: 57 32 a0 9a ef ac db 45 28 ae f7 2b 76 60 87 0d W2.....E(..+v`.. 05a0: 1c 2d 47 4f bf a3 91 02 21 00 88 2e cf 09 53 19 .-GO....!.....S. 05b0: 49 f1 b0 2d f4 89 92 ea 12 c1 9a 03 bc 62 2b d7 I..-.........b+. 05c0: 16 51 02 f2 42 1e cb 6e 58 ce 00 75 00 29 79 be .Q..B..nX..u.)y. 05d0: f0 9e 39 39 21 f0 56 73 9f 63 a5 77 e5 be 57 7d ..99!.Vs.c.w..W} 05e0: 9c 60 0a f8 f9 4d 5d 26 5c 25 5d c7 84 00 00 01 .`...M]&%]..... 05f0: 7b 64 a7 af f5 00 00 04 03 00 46 30 44 02 20 5f {d........F0D. _ 0600: b0 93 d9 f8 74 af 1d a7 26 f2 67 a0 dc 0e 59 c0 ....t...&.g...Y. 0610: 2e ce 3c 30 a7 b1 6f 6e c9 b8 6e 95 23 09 c5 02 ..<0..on..n.#... 0620: 20 51 b4 4d 58 3f aa a6 75 4b dd 55 49 7e f0 c6 Q.MX?..uK.UI~.. 0630: 29 a9 59 62 7f 06 2d 5d c7 4f dd d9 3b b6 31 3e ).Yb..-].O..;.1> 0640: 9b 30 35 06 03 55 1d 11 04 2e 30 2c 82 0c 6c 64 .05..U....0,..ld 0650: 61 70 31 2e 6e 6f 61 2e 67 72 82 0f 6b 65 72 62 ap1.noa.gr..kerb 0660: 65 72 6f 73 2e 6e 6f 61 2e 67 72 82 0b 6c 64 61 eros.noa.gr..lda 0670: 70 2e 6e 6f 61 2e 67 72 30 0d 06 09 2a 86 48 86 p.noa.gr0...*.H. 0680: f7 0d 01 01 0c 05 00 03 82 02 01 00 50 60 0c a6 ............P`.. 0690: 03 55 61 c3 0d f0 bf ef 0b 5f 65 05 2e 21 a5 46 .Ua......_e..!.F 06a0: 16 b6 29 00 8d 5b 6e 43 6a e6 45 e3 7b b2 25 5a ..)..[nCj.E.{.%Z 06b0: 39 d0 f3 c9 2a 94 f7 14 a4 0c 91 dd bf 09 7d 2e 9...*.........}. 06c0: 56 13 7c 67 37 0e a3 b0 7a 81 a4 7d 69 a2 49 dd V.|g7...z..}i.I. 06d0: 23 97 b6 f1 e0 7f a6 69 a8 fc 08 66 86 a8 e7 56 #......i...f...V 06e0: b5 4c 20 82 42 e7 63 29 ca a5 91 2f c8 88 79 2a .L .B.c).../..y* 06f0: d4 bc 2a 95 38 e4 4b 9f a3 2f 85 41 b9 46 50 d0 ..*.8.K../.A.FP. 0700: 6a 2a 41 c0 72 4c 33 ab 24 69 ea 13 74 48 31 6c j*A.rL3.$i..tH1l 0710: 2b c1 97 ab bc be d2 7d 17 30 2a 7e fe fc df a9 +......}.0*~.... 0720: af 8b 5a 89 45 71 e4 d1 ec 57 d9 6f ef f9 3b db ..Z.Eq...W.o..;. 0730: e0 ad e4 68 b0 21 50 65 27 e3 fa 8e 32 e6 d6 c6 ...h.!Pe'...2... 0740: 7e c8 f7 ed 2f 0e 90 0f 9a ce 0a 4e c4 aa 34 e7 ~.../......N..4. 0750: b5 81 58 05 41 ba 23 57 56 ef 94 a9 45 18 d4 5b ..X.A.#WV...E..[ 0760: 6d 1f 38 ba 0f 76 7a 69 c1 21 01 38 61 60 96 5c m.8..vzi.!.8a`.\ 0770: 16 e4 b7 d7 fa d1 4b 74 e8 8a 70 6e eb d7 88 dc ......Kt..pn.... 0780: a7 dd 45 d3 8c d3 53 b4 44 60 48 42 58 68 12 0f ..E...S.D`HBXh.. 0790: 2f 7a 90 5f 34 43 54 f1 d1 f5 f3 52 1e 3c 78 17 /z._4CT....R.<x. 07a0: 4e 68 80 f6 9b cc 44 66 6f 12 f3 bc b1 81 ea 30 Nh....Dfo......0 07b0: 9f 9f 48 1b 76 b7 b0 5c aa 7d 52 f7 9f f7 a5 66 ..H.v...}R....f 07c0: 6f 3a bf 3f 4e dc 6c 89 0d f1 8b 20 bc 18 a0 dd o:.?N.l.... .... 07d0: f7 21 a7 8b cb bf b4 af c0 9f bc 58 10 5e 52 fa .!.........X.^R. 07e0: 1e af 6e b7 9b 0d 36 4b b0 eb 60 62 df 0f 49 88 ..n...6K..`b..I. 07f0: ed 0e 08 b5 7f 0b 72 a4 e6 3b 28 97 83 46 e1 a5 ......r..;(..F.. 0800: 97 c1 32 c1 b4 a8 b1 c6 d1 75 4f f2 4b 9c 1e d3 ..2......uO.K... 0810: 1d 68 72 b9 af fe ad 3c 49 18 95 ec c2 ea f6 07 .hr....<I....... 0820: 08 24 20 93 61 c7 06 70 dd f9 3b 45 00 2c 10 f5 .$ .a..p..;E.,.. 0830: 0a 4d c1 a7 db b2 b9 04 6a 82 bc 1a ae b2 7c d7 .M......j.....|. 0840: 12 70 94 a2 cb a7 f9 c8 57 8e 76 69 cb 8a d8 e6 .p......W.vi.... 0850: 4d 1f 31 3d 9c 19 95 f3 66 d9 a1 11 9a b3 b5 1d M.1=....f....... 0860: 7a af 3e e9 ee d5 56 39 cf 73 01 4a 2c e1 f3 7e z.>...V9.s.J,..~ 0870: c7 f3 af f6 74 b9 06 f4 5b 1f 4c 73 4f 93 45 a1 ....t...[.LsO.E. 0880: 57 d2 f3 1a 16 6e 37 d3 69 c5 da 42 W....n7.i..B TLS certificate verification: depth: 0, err: 20, subject: /C=GR/ST=Attik\xC3\xAD/L=Athens/O=National Observatory of Athens/CN=ldap1.noa.gr, issuer: /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 03 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I also set slapd to run with params: "-d -1". Here is the log:
# systemctl restart slapd Job for slapd.service failed because a timeout was exceeded. See "systemctl status slapd.service" and "journalctl -xe" for details.
From the journal, some excerpts (it is very long):
Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL_accept:SSLv3 flush data Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL_accept:SSLv3 read client certificate A Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: tls_read: want=5 error=Resource temporarily unavailable Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL_accept:error in SSLv3 read client key exchange A Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL_accept:error in SSLv3 read client key exchange A Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: activity on 1 descriptor Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: activity on: Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=7 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=8 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=9 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=10 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=11 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd[24898]: conn=1001 fd=15 closed (TLS negotiation failure)
...
Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: activity on 1 descriptor Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: activity on: Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=7 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=8 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=9 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=10 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: epoll: listen=11 active_threads=0 tvp=NULL Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_get(15) Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_get(15): got connid=1001 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_read(15): checking for input on id=1001 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: tls_read: want=5, got=5 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 0000: 15 03 03 00 02 ..... Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: tls_read: want=2, got=2 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 0000: 02 30 .0 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL3 alert read:fatal:unknown CA Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL_accept:failed in error Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: TLS: can't accept: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca. Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_read(15): TLS accept failure error=-1 id=1001, closing Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_closing: readying conn=1001 sd=15 for close Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 connection_close: conn=1001 sd=15 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 daemon: removing 15 Oct 21 18:30:42 ldap.noa.gr slapd-cli[24796]: 617187a2 conn=1001 fd=15 closed (TLS negotiation failure)
It shows that the CA/cert has issues. Yet, everything was working fine until last upgrade!
Nick
On 21/10/2021 6:20 μ.μ., Howard Chu wrote:
Run ldapwhoami with -d -1. Also run slapd with -d -1.
Nick Milas wrote:
Thank you for the reply:
Here it is:
It shows that the CA/cert has issues. Yet, everything was working fine until last upgrade!
Well, it's not going to lie to you. Your CA cert isn't recognized, so some other upgrade must have mucked with your certs or LDAP config. Simple enough to fix, just make sure the CA cert you're using is present in the expected cert dir.
Nick
On 21/10/2021 6:20 μ.μ., Howard Chu wrote:
Run ldapwhoami with -d -1. Also run slapd with -d -1.
On 21/10/2021 6:39 μ.μ., Nick Milas wrote:
From the journal, some excerpts (it is very long):
My fault: I copied parts from the journal before the restart :(
Here is the actual log after restart:
Oct 21 18:31:28 ldap.noa.gr systemd[1]: slapd.service start operation timed out. Terminating. Oct 21 18:31:28 ldap.noa.gr slapd[24898]: daemon: shutdown requested and initiated. Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: shutdown requested and initiated. Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: closing 7 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: closing 8 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: closing 9 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: closing 10 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: closing 11 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 connection_closing: readying conn=1004 sd=15 for close Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 connection_close: conn=1004 sd=15 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 daemon: removing 15 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: tls_write: want=31, written=31 Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 0000: 15 03 03 00 1a 76 bc 75 b6 cd d1 37 29 11 a2 d8 .....v.u...7)... Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 0010: 7b 5c 1d fc 07 73 a7 ce 46 05 d2 04 d2 29 8b {...s..F....). Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: TLS trace: SSL3 alert write:warning:close notify Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 conn=1004 fd=15 closed (slapd shutdown) Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 slapd shutdown: waiting for 0 operations/tasks to finish Oct 21 18:31:28 ldap.noa.gr slapd-cli[24796]: 617187d0 slapd shutdown: initiated Oct 21 18:31:28 ldap.noa.gr slapd[24898]: conn=1004 fd=15 closed (slapd shutdown) Oct 21 18:31:28 ldap.noa.gr slapd[24898]: slapd shutdown: waiting for 0 operations/tasks to finish Oct 21 18:31:28 ldap.noa.gr slapd[24898]: slapd stopped. Oct 21 18:31:28 ldap.noa.gr systemd[1]: Failed to start OpenLDAP LTB startup script. -- Subject: Unit slapd.service has failed
--On Thursday, October 21, 2021 7:54 PM +0300 Nick Milas nick@eurobjects.com wrote:
On 21/10/2021 6:39 μ.μ., Nick Milas wrote:
From the journal, some excerpts (it is very long):
My fault: I copied parts from the journal before the restart :(
Here is the actual log after restart:
The client side still says it can't validate the cert. As long as the client can't validate the cert, you won't be able to establish TLS.
From your ldapwhoami output:
TLS certificate verification: depth: 0, err: 20, subject: /C=GR/ST=Attik\xC3\xAD/L=Athens/O=National Observatory of Athens/CN=ldap1.noa.gr, issuer: /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4 TLS certificate verification: Error, unable to get local issuer certificate
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount quanah@symas.com schrieb am 21.10.2021 um 19:29 in
Nachricht <125627C2D6AF4AE00EF3FCDF@[192.168.1.11]>:
--On Thursday, October 21, 2021 7:54 PM +0300 Nick Milas nick@eurobjects.com wrote:
On 21/10/2021 6:39 μ.μ., Nick Milas wrote:
From the journal, some excerpts (it is very long):
My fault: I copied parts from the journal before the restart :(
Here is the actual log after restart:
The client side still says it can't validate the cert. As long as the client can't validate the cert, you won't be able to establish TLS.
From your ldapwhoami output:
TLS certificate verification: depth: 0, err: 20, subject: /C=GR/ST=Attik\xC3\xAD/L=Athens/O=National Observatory of Athens/CN=ldap1.noa.gr, issuer: /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA
4 TLS certificate verification: Error, unable to get local issuer certificate
Maybe use openssl x509 to display the certificate chain, looking for problems, and use the "verify" of openssl to check the certificate (chain). And show us the results ;-)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Bastian Tweddell -
Howard Chu -
Nick Milas -
Quanah Gibson-Mount -
Ulrich Windl