[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ambiguous SSL/TLS error messages from slapd
On 02/19/10 11:51, Howard Chu wrote:
Brian A. Seklecki (CFI NOC) wrote:
Steve, I agree:
This error gets printed with "-1" under too many
conditions. Just look at:
libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the
OpenSSL error messages. All OpenSSL error messages have been fully
logged, for years.
2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY,
"main: TLS init def ctx failed: %d\n",
rc, 0, 0 );
We should change / append to this to clarify:
if (rc< 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
wrong in creation of the SSL data structure. Check
filesystem permissions, ownership bits, ACLs, configuration
file paths. Resort to strace(1)/ktrace(1)
debugging.\n",rc,0,0);
if (rc> 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
in creation of the SSL socket data structure. Please
check the OpenSSL error code above against:
/usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
Pointless, since all failures inside init_ctx already call
tlso_report_error().
Great, however it doesn't change the fact that no meaningful error is
being reported:
(slapd runs as the user ldap)
# chown root certs/ldap.key.pem
# ls -la certs/ldap.key.pem
-r-------- 1 root wheel 1679 Feb 19 18:29 certs/ldap.key.pem
# /usr/local/etc/rc.d/slapd start
Starting slapd.
Feb 19 18:36:45 slapd[85526]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010
22:02:31) $
root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd
Feb 19 18:36:45 slapd[85526]: line 33 (modulepath
/usr/local/libexec/openldap)
Feb 19 18:36:45 slapd[85526]: line 34 (moduleload back_bdb)
Feb 19 18:36:45 slapd[85526]: loaded module back_bdb
Feb 19 18:36:45 slapd[85526]: module back_bdb: null module registered
Feb 19 18:36:45 slapd[85526]: line 35 (moduleload back_ldap)
Feb 19 18:36:45 slapd[85526]: loaded module back_ldap
Feb 19 18:36:45 slapd[85526]: module back_ldap: null module registered
Feb 19 18:36:45 slapd[85526]: line 38 (disallow bind_anon)
Feb 19 18:36:45 slapd[85526]: line 59 (database bdb)
Feb 19 18:36:45 slapd[85526]: line 60 (suffix "dc=xxxxxxxx,dc=com")
Feb 19 18:36:45 slapd[85526]: line 61 (rootdn
"cn=xxx,dc=xxxxxxxx,dc=com")
Feb 19 18:36:45 slapd[85526]: line 66 (rootpw ***)
Feb 19 18:36:45 slapd[85526]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2)
Feb 19 18:36:45 slapd[85526]: line 72 (TLSVerifyClient allow)
Feb 19 18:36:45 slapd[85526]: line 76 (TLSCACertificateFile
/usr/local/etc/openldap/certs/cacert.pem)
Feb 19 18:36:45 slapd[85526]: line 80 (TLSCertificateFile
/usr/local/etc/openldap/certs/ldap.crt.pem)
Feb 19 18:36:45 slapd[85526]: line 81 (TLSCertificateKeyFile
/usr/local/etc/openldap/certs/ldap.key.pem)
Feb 19 18:36:45 slapd[85526]: line 86 (directory /var/db/openldap-data)
Feb 19 18:36:45 slapd[85526]: line 89 (index
objectClass,entryCSN,entryUUID eq)
Feb 19 18:36:45 slapd[85526]: index objectClass 0x0004
Feb 19 18:36:45 slapd[85526]: index entryCSN 0x0004
Feb 19 18:36:45 slapd[85526]: index entryUUID 0x0004
Feb 19 18:36:45 slapd[85526]: main: TLS init def ctx failed: -1
Feb 19 18:36:45 slapd[85526]: slapd stopped.
Feb 19 18:36:45 slapd[85526]: connections_destroy: nothing to destroy.
# chown ldap certs/ldap.key.pem
# /usr/local/etc/rc.d/slapd start
Starting slapd.
Feb 19 18:37:49 slapd[85545]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010
22:02:31) $
root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd
Feb 19 18:37:49 slapd[85545]: line 33 (modulepath
/usr/local/libexec/openldap)
Feb 19 18:37:49 slapd[85545]: line 34 (moduleload back_bdb)
Feb 19 18:37:49 slapd[85545]: loaded module back_bdb
Feb 19 18:37:49 slapd[85545]: module back_bdb: null module registered
Feb 19 18:37:49 slapd[85545]: line 35 (moduleload back_ldap)
Feb 19 18:37:49 slapd[85545]: loaded module back_ldap
Feb 19 18:37:49 slapd[85545]: module back_ldap: null module registered
Feb 19 18:37:49 slapd[85545]: line 38 (disallow bind_anon)
Feb 19 18:37:49 slapd[85545]: line 59 (database bdb)
Feb 19 18:37:49 slapd[85545]: line 60 (suffix "dc=xxxxxxxx,dc=com")
Feb 19 18:37:49 slapd[85545]: line 61 (rootdn
"cn=xxx,dc=xxxxxxxx,dc=com")
Feb 19 18:37:49 slapd[85545]: line 66 (rootpw ***)
Feb 19 18:37:49 slapd[85545]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2)
Feb 19 18:37:49 slapd[85545]: line 72 (TLSVerifyClient allow)
Feb 19 18:37:49 slapd[85545]: line 76 (TLSCACertificateFile
/usr/local/etc/openldap/certs/cacert.pem)
Feb 19 18:37:49 slapd[85545]: line 80 (TLSCertificateFile
/usr/local/etc/openldap/certs/ldap.crt.pem)
Feb 19 18:37:49 slapd[85545]: line 81 (TLSCertificateKeyFile
/usr/local/etc/openldap/certs/ldap.key.pem)
Feb 19 18:37:49 slapd[85545]: line 86 (directory /var/db/openldap-data)
Feb 19 18:37:49 slapd[85545]: line 89 (index
objectClass,entryCSN,entryUUID eq)
Feb 19 18:37:49 slapd[85545]: index objectClass 0x0004
Feb 19 18:37:49 slapd[85545]: index entryCSN 0x0004
Feb 19 18:37:49 slapd[85545]: index entryUUID 0x0004
Feb 19 18:37:50 slapd[85546]: bdb_db_open: "dc=xxxxxxxx,dc=com"
Feb 19 18:37:50 slapd[85546]: slapd starting
Feb 19 18:37:50 slapd[85546]: daemon: added 4r listener=0x0
Feb 19 18:37:50 slapd[85546]: daemon: added 6r listener=0x801839180
Feb 19 18:37:50 slapd[85546]: daemon: added 7r listener=0x801839240
Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0
tvp=NULL
Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0
tvp=NULL
Feb 19 18:37:50 slapd[85546]: daemon: activity on 1 descriptor
Feb 19 18:37:50 slapd[85546]: daemon: waked
Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0
tvp=NULL
Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0
tvp=NULL
Any suggestions on getting these errors to actually print?