[Bug 420277] Re: ldap tls refusing to initialize

Sat Sep 12 04:24:16 BST 2009

Playing around with the source today and debugging slapd with gdb.

It appears that much of the pain here is in tls_g.c, the wrappers for
gnutls. The function tlsg_ctx_init in particular. This is where, at
least for my configuration, most of the failures are occurring. And the
code in this function often makes a call onto a gnutls function, as in:

	if (lo->ldo_tls_cacertfile != NULL) {
		rc = gnutls_certificate_set_x509_trust_file( 
			ctx->cred,
			lt->lt_cacertfile,
			GNUTLS_X509_FMT_PEM );
		if ( rc < 0 ) return -1;
	}

and doesn't really do anything with the return code. There are 3 places
in tlsg_ctx_init where this occurs with no logging of what the actual
error code was. It just returns -1, rather than a more specific error
code. Upshot is that we simply get a -1 error code in the log with no
further advice on the specific problem.

The code in tls_o.c for this function and others seems better developed
and reports more useful error codes.

With a self-signed certificate, and setting only the olcTLSCertificateFile 
olcTLSCertificateKeyFile, the server works and does answer properly when trying with a command on another machine like:

openssl s_client -connect <ldapServerIP>:636 -showcerts

If oldTLSCACertificateFile is set to the self-signed certificate, slapd
fails to initialize TLS.

I suspect most of the problems being reported are due to configuration
issues, like those reported by Christian R. Without better error output,
it is very difficult to figure these out.

Now I'd be delighted to try and add more debugging and produce a patch;
however, perhaps I can get a bit of help with the packaging?

I've been able to get the source with 'apt-get source libldap-2.4-2',
and go in change the debian/configure.options, followed by a 'debchange
-i' and 'debuild -us -uc -i -I', then a 'sudo debi', and get a version
with debugging symbols installed.

What has been eluding me (after reading the HOWTO and several other
tutorials), is how to get changes in the source to build into the
package properly when installed and how to get other Debug statements to
work (though perhaps that is just because the packaging isn't working
right, since the machine language statements in the debugger don't agree
with the source listed in gdb, ouch). With a -nc option on debuild it
builds, but likely isn't actually including the changes. Without the
-nc, it complains about the upstream patches not being able to be
applied.

Hopefully someone can point me to the correct descriptions or give me
some help on this one.

Of course, a fixed up package with better error output from one of the
openldap gurus would be most welcome!

thanks,
Peter

-- 
ldap tls refusing to initialize
https://bugs.launchpad.net/bugs/420277
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.