Greetings,
I am having some strange problems with
openldap-2.0.11 and ldaps queries. I have set up the
following:
Installed openldap-2.0.11:
# cd
/usr/local/src/openldap-2.0.11
# env CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib ./configure --with-tls --without-threads # make depend # make # make test # make install
I then run a slapd instance on another machine
(192.168.0.2) with the following command:
Then, from the machine where I installed
openldap-2.0.11, I try a search:
@(#) $OpenLDAP: slapd 2.0.7-Release (Wed May
9 15:51:06 CDT 2001) $
jmowat@Geneva:/home/jmowat/src/openldap-2.0.7/servers/slapd daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse(ldap:///) daemon: socket() failed errno=22 (Invalid argument) daemon: initialized ldap:/// ldap_url_parse(ldaps:///) daemon: socket() failed errno=22 (Invalid argument) daemon: initialized ldaps:/// daemon_init: 2 listeners opened slapd init: initiated server. slap_sasl_init: initialized! slapd startup: initiated. slapd starting I then run the search:
# /usr/local/bin/ldapsearch -x -H ldap://192.168.0.2 -s base -b
"dc=example,dc=com"
With the following results:
============ version: 2
#
# filter: (objectclass=*) # requesting: ALL # # example,dc=com
dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example Company dc: example # search result
search: 2 result: 0 Success # numResponses: 2
# numEntries: 1 ============
The server responds (with the debugging I set)
with:
============ ldap_pvt_gethostbyname_a: host=Geneva,
r=0
connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: do_bind ber_scanf fmt ({iat) ber: ber_scanf fmt (o}) ber: do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 do_bind: v3 anonymous bind ber_get_next ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 54 contents: do_search ber_scanf fmt ({aiiiib) ber: ber_scanf fmt (o) ber: ber_scanf fmt ({v}}) ber: => ldbm_back_search dn2entry_r: dn: "DC=EXAMPLE,DC=COM" => dn2id( "DC=EXAMPLE,DC=COM" ) => ldbm_cache_open( "/usr/local/var/openldap-ldbm/dn2id.dbb", 7, 600 ) <= ldbm_cache_open (opened 0) <= dn2id 8 => id2entry_r( 8 ) => ldbm_cache_open( "/usr/local/var/openldap-ldbm/id2entry.dbb", 7, 600 ) <= ldbm_cache_open (opened 1) => str2entry <= str2entry(dc=example,dc=com) -> -1 (0x815ae20) <= id2entry_r( 8 ) 0x815ae20 (disk) base_candidates: base: "dc=example,dc=com" ====> cache_return_entry_r( 8 ): created (0) => id2entry_r( 8 ) ====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries) <= id2entry_r( 8 ) 0x815ae20 (cache) => send_search_entry: "dc=example,dc=com" ber_flush: 110 bytes to sd 8 <= send_search_entry ====> cache_return_entry_r( 8 ): returned (0) send_ldap_search_result 0:: send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 8 ber_get_next ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: do_unbind connection_closing: readying conn=0 sd=8 for close connection_resched: attempting closing conn=0 sd=8 connection_close: conn=0 sd=8 ============
Now, when I try ldaps, I get the
following:
# /usr/local/bin/ldapsearch -x -H "ldaps://192.168.0.2" -s base -b
"dc=example,dc=com"
============ ldap_bind: Can't contact LDAP server
============
The server pukes back:
============ connection_get(8): got
connid=1
connection_read(8): checking for input on id=1 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(8): got connid=1 connection_read(8): checking for input on id=1 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_get(8): got connid=1 connection_read(8): checking for input on id=1 ber_get_next ber_get_next on fd 8 failed errno=0 (Success) connection_read(8): input error=-2 id=1, closing. connection_closing: readying conn=1 sd=8 for close connection_close: conn=1 sd=8 TLS trace: SSL3 alert write:warning:close notify ============
Now, when I try this on an openldap-2.0.7
installation, I get the following results:
# /usr/local/bin/ldapsearch -x -H ldaps://192.168.0.2 -s base -b
"dc=example,dc=com"
============ version: 2
#
# filter: (objectclass=*) # requesting: ALL # # example,dc=com
dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example Company dc: example # search result
search: 2 result: 0 Success # numResponses: 2
# numEntries: 1 ============
The server responds with:
============ connection_get(8): got
connid=3
connection_read(8): checking for input on id=3 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(8): got connid=3 connection_read(8): checking for input on id=3 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_get(8): got connid=3 connection_read(8): checking for input on id=3 ber_get_next ber_get_next: tag 0x30 len 12 contents: do_bind ber_scanf fmt ({iat) ber: ber_scanf fmt (o}) ber: do_bind: version=3 dn="" method=128 send_ldap_result: conn=3 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 8 do_bind: v3 anonymous bind ber_get_next ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) connection_get(8): got connid=3 connection_read(8): checking for input on id=3 ber_get_next ber_get_next: tag 0x30 len 54 contents: do_search ber_scanf fmt ({aiiiib) ber: ber_scanf fmt (o) ber: ber_scanf fmt ({v}}) ber: => ldbm_back_search dn2entry_r: dn: "DC=EXAMPLE,DC=COM" => dn2id( "DC=EXAMPLE,DC=COM" ) ====> cache_find_entry_dn2id("DC=EXAMPLE,DC=COM"): 8 (1 tries) <= dn2id 8 (in cache) => id2entry_r( 8 ) ====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries) <= id2entry_r( 8 ) 0x815ae20 (cache) base_candidates: base: "dc=example,dc=com" ====> cache_return_entry_r( 8 ): returned (0) => id2entry_r( 8 ) ====> cache_find_entry_id( 8 ) "dc=example,dc=com" (found) (1 tries) <= id2entry_r( 8 ) 0x815ae20 (cache) => send_search_entry: "dc=example,dc=com" ber_flush: 110 bytes to sd 8 <= send_search_entry ====> cache_return_entry_r( 8 ): returned (0) send_ldap_search_result 0:: send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 8 ber_get_next ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable) connection_get(8): got connid=3 connection_read(8): checking for input on id=3 ber_get_next ber_get_next: tag 0x30 len 5 contents: do_unbind connection_closing: readying conn=3 sd=8 for close connection_resched: attempting closing conn=3 sd=8 connection_close: conn=3 sd=8 TLS trace: SSL3 alert write:warning:close notify ============
I installed the following patch to get 2.0.7 ldapsearch to stop core
dumping on ldaps connections:
diff -ur ../OPENLDAP_HEAD/libraries/libldap/open.c
libraries/libldap/open.c
--- ../OPENLDAP_HEAD/libraries/libldap/open.c Wed Oct 18 11:53:53 2000 +++ libraries/libldap/open.c Tue Nov 21 20:37:04 2000 @@ -329,8 +329,15 @@ if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || strcmp( srv->lud_scheme, "ldaps" ) == 0 ) { + LDAPConn *savedefconn = ld->ld_defconn; + ++conn->lconn_refcnt; /* avoid premature free */ + ld->ld_defconn = conn; + rc = ldap_pvt_tls_start( ld, conn->lconn_sb, ld->ld_options.ldo_tls_ctx ); + + ld->ld_defconn = savedefconn; + --conn->lconn_refcnt; if (rc != LDAP_SUCCESS) { return -1; This patch was necessary to stop ldapsearch from
core dumping on me.I am running openldap on RedHat 7.0
systems, with openssl installed on each of them.
I truly don't understand what's happening
here. I am concerned that 2.0.11 won't work under ldaps. Is it a
certificate problem? The debug output is a little hard to
understand. I get errors when it fails, and I get errors when it
works. If anyone can help me out, I would appreciate it greatly. I
know that 2.0.7 works on one system, but 2.0.11 doesn't work on another.
I'd like to try to stay with the latest dist. of openldap.
Cheers,
Jason
|