Subject: slapd hangs on ldaps / tls request
Package: slapd
Version: 2.1.30-3
Severity: grave
Justification: renders package unusable
Hi,
I've configured slapd to run as non-root user. I've generated a CA
certificate and a certificate for my server.
If I don't use TLS (ldaps) I can query the server and receive the
correct information.
When I query the server using TLS, the slapd service hangs and can only
be stopped using kill -9.
On the client I get the following debug information:
[root@mannochmore openldap]# ldapsearch -x -ZZ -h
cerebro.esat.kuleuven.be -d 256 -b dc=esat,dc=kuleuven,dc=be
request 1 done
and no further output.
On the server I get:
cerebro:/var/lib# /usr/sbin/slapd -h "ldap:/// ldaps:///" -g ldap -u
ldap -d 256
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3,
2003)
bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=12 ACCEPT from IP=10.33.138.9:42084 (IP=0.0.0.0:389)
After receiving a request using TLS/SSL the server stops responding. The
server works fine as long as it doesn't receive a request using TLS/SSL.
I use the bdb backend.
Some relevant items from my slapd.conf:
reverse-lookup on
schemacheck on
sizelimit unlimited
# Ciphers to allow
TLSCipherSuite HIGH:MEDIUM:+SSLv2
# Location of the LDAP server certificate
TLSCertificateFile /etc/ldap/certs/cerebro.crt
TLSCertificateKeyFile /etc/ldap/certs/cerebro.key
# The certificate authority file
TLSCACertificateFile /etc/ldap/certs/CA.crt
# Do we ask/verify client certificates?
# See the man page for possible options
TLSVerifyClient Allow
access to attribute=userPassword
by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" write
by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" read
by ssf=112 anonymous auth
by ssf=112 self write
by * none
# Admin has full write access,
# others have read access
access to *
by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=ac,dc=be"
write
by domain=".*\.esat\.kuleuven\.ac\.be$" read
by domain=".*\.esat\.kuleuven\.be$" read
by * none
First I copied the certificates from a RH server but after regenerating
all certificates the problem persists.
My /etc/default/slapd settings:
SLAPD_CONF=
SLAPD_USER=ldap
SLAPD_GROUP=ldap
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
All directories and files are readable/writable by the ldap user.
Greetings,
Rik
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages slapd depends on:
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii debconf 1.4.30.10 Debian configuration
management sy
ii libc6 2.3.2.ds1-18 GNU C Library: Shared
libraries an
ii libdb4.2 4.2.52-17 Berkeley v4.2 Database
Libraries [
ii libgcrypt11 1.2.0-4 LGPL Crypto library -
runtime libr
ii libgnutls11 1.0.16-9 GNU TLS library - runtime
library
ii libgpg-error0 1.0-1 library for common error
values an
ii libiodbc2 3.52.1-2 iODBC Driver Manager
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libltdl3 1.5.6-3 A system independent dlopen
wrappe
ii libsasl2 2.1.19-1.5 Authentication abstraction
library
ii libslp1 1.0.11-7 OpenSLP libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP
wrappers libra
ii perl [libmime-base64-perl] 5.8.4-3 Larry Wall's Practical
Extraction
ii psmisc 21.5-1 Utilities that use the proc
filesy
ii zlib1g 1:1.2.2-3 compression library - runtime
-- debconf information excluded
--
Rik Theys
KU Leuven - Dept. ESAT
Kasteelpark Arenberg 10
B-3001 LEUVEN - HEVERLEE
Tel.: +32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>
|
