[ale] TLS suddenly stops working with slapd
John Heim
john at johnheim.net
Fri Dec 9 11:44:03 EST 2011
It turned out being this line in my slapd.conf:
TLSVerifyClient allow
I commented it ount and now it works again. But I am absolutely certain that
I didn't change that setting yesterday. I checked the modification date on
the file and it was December 5.
----- Original Message -----
From: "Jim Kinney" <jim.kinney at gmail.com>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Thursday, December 08, 2011 8:41 PM
Subject: Re: [ale] TLS suddenly stops working with slapd
> Run tcpdump on the connection. It sounds like the handshake failed but you
> need more data to verify.
> On Dec 8, 2011 8:21 PM, "John Heim" <john at johnheim.net> wrote:
>
>> Hi,
>> I have an openldap server that suddenly stopped accepting TLS
>> connections.
>> One minute, I could do an ldapsearch against it with TLS and the next I
>> couldn't. I was trying to write an update script at the time. But could a
>> corrupt database calse TLS to fail?
>>
>> ldapsearch -x -ZZ -H ldap://hubble.example.com "uid=jheim"
>>
>> That command hangs. Does not exit. And the logs say "TLS negotiation
>> failure". But it used to work. If there is something wrong with my cert,
>> why
>> did it used to work? I even rebooted the ldap server, no joy.
>>
>> === before ---
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 ACCEPT from
>> IP=144.92.166.12:41021 (IP=0.0.0.0:389)
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 EXT
>> oid=1.3.6.1.4.1.1466.20037
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 STARTTLS
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=0 RESULT oid= err=0
>> text=
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 TLS established
>> tls_ssf=128 ssf=128
>> Dec 8 13:43:06 hubble slapd[28456]: conn=45701 op=1 BIND
>> dn="cn=root,ou=ldapusers,dc=math,dc=wisc,dc=edu" method=128
>>
>> === After ===
>> Dec 8 19:04:43 hubble slapd[3521]: conn=1006 fd=18 ACCEPT from
>> IP=144.92.166.12:37619 (IP=0.0.0.0:389)
>> Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 EXT
>> oid=1.3.6.1.4.1.1466.20037
>> Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 STARTTLS
>> Dec 8 19:04:43 hubble slapd[3521]: conn=1006 op=0 RESULT oid= err=0
>> text=
>> Dec 8 19:05:07 hubble slapd[3521]: conn=1006 fd=18 closed (TLS
>> negotiation
>> failure)
>>
>>
>> root at hubble:~/tmp# dpkg -p slapd
>> Package: slapd
>> Priority: optional
>> Section: net
>> Installed-Size: 4092
>> Maintainer: Debian OpenLDAP Maintainers
>> <pkg-openldap-devel at lists.alioth.debian.
>> org>
>> Architecture: amd64
>> Source: openldap
>> Version: 2.4.25-3
>> Replaces: ldap-utils (<< 2.2.23-3), libldap2
>> Provides: ldap-server, libslapi-2.4-2
>> Depends: libc6 (>= 2.12), libdb5.1, libgcrypt11 (>= 1.4.6), libgnutls26
>> (>=
>> 2.12
>> .6.1-0), libldap-2.4-2 (= 2.4.25-3), libltdl7 (>= 2.4), libperl5.12 (>=
>> 5.12.4),
>> libsasl2-2, libslp1, libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11),
>> coreutils
>> (>=
>> 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser,
>> lsb-base
>> (>= 3
>> .2-13), libdb4.8 (>= 4.8.30)
>> Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support
>> Recommends: libsasl2-modules
>> Suggests: ldap-utils
>> Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
>> Size: 1643524
>> Description: OpenLDAP server (slapd)
>> This is the OpenLDAP (Lightweight Directory Access Protocol) server
>> (slapd). The server can be used to provide a standalone directory
>> service.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
--------------------------------------------------------------------------------
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
More information about the Ale
mailing list