[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap-2.0.11 and ldaps problems



Greetings,
 
I am having some strange problems with openldap-2.0.11 and ldaps queries.  I have set up the following:
 
Installed openldap-2.0.11:
# cd /usr/local/src/openldap-2.0.11
# env CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib ./configure --with-tls --without-threads
# make depend
# make
# make test
# make install
 
I then run a slapd instance on another machine (192.168.0.2) with the following command:
# ./slapd -h "ldap:/// ldaps:///" -d1
 
Then, from the machine where I installed openldap-2.0.11, I try a search:
@(#) $OpenLDAP: slapd 2.0.7-Release (Wed May  9 15:51:06 CDT 2001) $
        jmowat@Geneva:/home/jmowat/src/openldap-2.0.7/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse(ldap:///)
daemon: socket() failed errno=22 (Invalid argument)
daemon: initialized ldap:///
ldap_url_parse(ldaps:///)
daemon: socket() failed errno=22 (Invalid argument)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
 
I then run the search:
# /usr/local/bin/ldapsearch -x -H ldap://192.168.0.2 -s base -b "dc=example,dc=com"
 
With the following results:
============
version: 2
 
#
# filter: (objectclass=*)
# requesting: ALL
#
 
# example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1
============
 
The server responds (with the debugging I set) with:
============
ldap_pvt_gethostbyname_a: host=Geneva, r=0
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 8
do_bind: v3 anonymous bind
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 54 contents:
do_search
ber_scanf fmt ({aiiiib) ber:
ber_scanf fmt (o) ber:
ber_scanf fmt ({v}}) ber:
=> ldbm_back_search
dn2entry_r: dn: "DC=EXAMPLE,DC=COM"
=> dn2id( "DC=EXAMPLE,DC=COM" )
=> ldbm_cache_open( "/usr/local/var/openldap-ldbm/dn2id.dbb", 7, 600 )
<= ldbm_cache_open (opened 0)
<= dn2id 8
=> id2entry_r( 8 )
=> ldbm_cache_open( "/usr/local/var/openldap-ldbm/id2entry.dbb", 7, 600 )
<= ldbm_cache_open (opened 1)
=> str2entry
<= str2entry(dc=example,dc=com) -> -1 (0x815ae20)
<= id2entry_r( 8 ) 0x815ae20 (disk)
base_candidates: base: "dc=example,dc=com"
====> cache_return_entry_r( 8 ): created (0)
=> id2entry_r( 8 )
====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries)
<= id2entry_r( 8 ) 0x815ae20 (cache)
=> send_search_entry: "dc=example,dc=com"
ber_flush: 110 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 8 ): returned (0)
send_ldap_search_result 0::
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 8
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
connection_closing: readying conn=0 sd=8 for close
connection_resched: attempting closing conn=0 sd=8
connection_close: conn=0 sd=8
============
 
Now, when I try ldaps, I get the following:
# /usr/local/bin/ldapsearch -x -H "ldaps://192.168.0.2" -s base -b "dc=example,dc=com"
============
ldap_bind: Can't contact LDAP server
============
 
The server pukes back:
============
connection_get(8): got connid=1
connection_read(8): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(8): got connid=1
connection_read(8): checking for input on id=1
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(8): got connid=1
connection_read(8): checking for input on id=1
ber_get_next
ber_get_next on fd 8 failed errno=0 (Success)
connection_read(8): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=8 for close
connection_close: conn=1 sd=8
TLS trace: SSL3 alert write:warning:close notify
============
 
Now, when I try this on an openldap-2.0.7 installation, I get the following results:
# /usr/local/bin/ldapsearch -x -H ldaps://192.168.0.2 -s base -b "dc=example,dc=com"
 
============
version: 2
 
#
# filter: (objectclass=*)
# requesting: ALL
#
 
# example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1
============
 
The server responds with:
============
connection_get(8): got connid=3
connection_read(8): checking for input on id=3
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(8): got connid=3
connection_read(8): checking for input on id=3
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(8): got connid=3
connection_read(8): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="" method=128
send_ldap_result: conn=3 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 8
do_bind: v3 anonymous bind
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
connection_get(8): got connid=3
connection_read(8): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 54 contents:
do_search
ber_scanf fmt ({aiiiib) ber:
ber_scanf fmt (o) ber:
ber_scanf fmt ({v}}) ber:
=> ldbm_back_search
dn2entry_r: dn: "DC=EXAMPLE,DC=COM"
=> dn2id( "DC=EXAMPLE,DC=COM" )
====> cache_find_entry_dn2id("DC=EXAMPLE,DC=COM"): 8 (1 tries)
<= dn2id 8 (in cache)
=> id2entry_r( 8 )
====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries)
<= id2entry_r( 8 ) 0x815ae20 (cache)
base_candidates: base: "dc=example,dc=com"
====> cache_return_entry_r( 8 ): returned (0)
=> id2entry_r( 8 )
====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries)
<= id2entry_r( 8 ) 0x815ae20 (cache)
=> send_search_entry: "dc=example,dc=com"
ber_flush: 110 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 8 ): returned (0)
send_ldap_search_result 0::
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 8
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
connection_get(8): got connid=3
connection_read(8): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
connection_closing: readying conn=3 sd=8 for close
connection_resched: attempting closing conn=3 sd=8
connection_close: conn=3 sd=8
TLS trace: SSL3 alert write:warning:close notify
============
 
I installed the following patch to get 2.0.7 ldapsearch to stop core dumping on ldaps connections:
diff -ur ../OPENLDAP_HEAD/libraries/libldap/open.c libraries/libldap/open.c
--- ../OPENLDAP_HEAD/libraries/libldap/open.c Wed Oct 18 11:53:53 2000
+++ libraries/libldap/open.c Tue Nov 21 20:37:04 2000
@@ -329,8 +329,15 @@
  if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
   strcmp( srv->lud_scheme, "ldaps" ) == 0 )
  {
+  LDAPConn *savedefconn = ld->ld_defconn;
+  ++conn->lconn_refcnt; /* avoid premature free */
+  ld->ld_defconn = conn;
+
   rc = ldap_pvt_tls_start( ld, conn->lconn_sb,
    ld->ld_options.ldo_tls_ctx );
+
+  ld->ld_defconn = savedefconn;
+  --conn->lconn_refcnt;
 
   if (rc != LDAP_SUCCESS) {
    return -1;
 
This patch was necessary to stop ldapsearch from core dumping on me.I am running openldap on RedHat 7.0 systems, with openssl installed on each of them.
 
I truly don't understand what's happening here.  I am concerned that 2.0.11 won't work under ldaps.  Is it a certificate problem?  The debug output is a little hard to understand.  I get errors when it fails, and I get errors when it works.  If anyone can help me out, I would appreciate it greatly.  I know that 2.0.7 works on one system, but 2.0.11 doesn't work on another.  I'd like to try to stay with the latest dist. of openldap.
 
Cheers,
Jason