[Bug 420277] [NEW] ldap tls refusing to initialize
PeterNSteinmetz
ndoc2 at steinmetz.org
Fri Aug 28 03:38:46 BST 2009
Public bug reported:
Binary package hint: libldap-2.4-2
Trying to run a slapd server in Ubuntu 9.04, generally following the
docs at: https://help.ubuntu.com/9.04/serverguide/C/openldap-
server.html.
It works fine until I try and use certificates as per the section TLS
and SSL on that page.
Then, if I try and start using /etc/init.d/slapd it tells me to start using the debugging flags. If I then do so with the command:
sudo slapd -d -1 -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
At the end of copious output is:
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
This is with entries in /etc/ldap/slapd.d/cn=config.ldif like:
olcTLSCACertificateFile: /home/peter/CA/server-ca-cert.pem
olcTLSCertificateFile: /home/peter/CA/server-gnutls-cert.pem
olcTLSCertificateKeyFile: /home/peter/CA/server-gnutls-key.pem
If these entries are commented out, the server will start and work.
This occurs with a private key and certificate generated using both
openssl and with the gnutls certtool.
Dependencies for slapd are:
ldd -v $(which slapd)
linux-gate.so.1 => (0xb7de2000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7d97000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7d89000)
libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7c34000)
libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7bcd000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7bb4000)
libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ba4000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7b8b000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7b73000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7ad5000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7ac3000)
libz.so.1 => /lib/libz.so.1 (0xb7aad000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7a44000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7a12000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb79fb000)
libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb79f2000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb79ee000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb79e5000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7882000)
/lib/ld-linux.so.2 (0xb7de3000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb787e000)
Related packages installed:
gnutls-bin 2.4.2-6ubuntu0.1 gnutls26 install ok installed
gnutls-doc 2.4.2-6ubuntu0.1 gnutls26 install ok installed
ldap-utils 2.4.15-1ubuntu3 openldap install ok installed
libcurl3-gnutls 7.18.2-8ubuntu4.1 curl install ok installed
libgnutls26 2.4.2-6ubuntu0.1 gnutls26 install ok installed
libldap-2.4-2 2.4.15-1ubuntu3 openldap install ok installed
slapd 2.4.15-1ubuntu3 openldap install ok installed
It doesn't seem like this could be a problem with V1 certificates, since both the CA cert and the server cert have X.509 Certificate Information: Version: 3 (cf. https://bugs.launchpad.net/bugs/305264).
Additionally they have Signature Algorithm: RSA-SHA.
I wonder if it is related to a cipher suite specification, given
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541256. Though I tried
setting 'olcTLSCipherSuite: +AES-256-CBC:+SHA1' in the cn=config.ldif
file, to no avail.
I don't know how to get the more detailed information from TLS, I only
see the 'main: TLS init def ctx failed: -1' line.
Is this another issue with the gnutls specifications? Or just something
missing in the docs there for jaunty. Strikes me as a fairly important
issue for ubuntu server.
Peter
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
** Tags: ldap tls
--
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list