Bug#283511: marked as done (slapd hangs on ldaps / tls request)

Your message dated Sun, 5 Dec 2004 15:58:58 +0700
with message-id <20041205085858.GA19924@xxxxxxxxxx>
and subject line slapd hangs on ldaps / tls request
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Nov 2004 15:40:18 +0000
>From rik.theys@xxxxxxxxxxxxxxxxxxx Mon Nov 29 07:40:18 2004
Return-path: <rik.theys@xxxxxxxxxxxxxxxxxxx>
Received: from nibbel.kulnet.kuleuven.ac.be [134.58.240.41] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CYndS-0006jf-00; Mon, 29 Nov 2004 07:40:18 -0800
Received: from localhost (localhost [127.0.0.1])
        by nibbel.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 3F0134B92C
        for <submit@xxxxxxxxxxxxxxx>; Mon, 29 Nov 2004 16:39:45 +0100 (CET)
Received: from antonius.kulnet.kuleuven.ac.be (antonius.kulnet.kuleuven.ac.be 
[134.58.240.73])
        by nibbel.kulnet.kuleuven.ac.be (Postfix) with ESMTP id BE3E24B7F9
        for <submit@xxxxxxxxxxxxxxx>; Mon, 29 Nov 2004 16:39:44 +0100 (CET)
Received: from barbar.esat.kuleuven.ac.be (barbar.esat.kuleuven.ac.be 
[134.58.56.153])
        by antonius.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 9A5824C33B
        for <submit@xxxxxxxxxxxxxxx>; Mon, 29 Nov 2004 16:39:44 +0100 (CET)
Received: from [10.33.138.9] (mannochmore.esat.kuleuven.ac.be [10.33.138.9])
        by barbar.esat.kuleuven.ac.be (8.12.10/8.12.10) with ESMTP id 
iATFdh11018807;
        Mon, 29 Nov 2004 16:39:43 +0100 (MET)
Message-ID: <41AB42BF.7090107@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Nov 2004 16:39:43 +0100
From: Rik Theys <rik.theys@xxxxxxxxxxxxxxxxxxx>
Organization: K.U. Leuven - ESAT
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020
X-Accept-Language: Dutch/Belgium [nl-BE],Dutch [nl],en
MIME-Version: 1.0
To: "Debian Bug Tracking System" <submit@xxxxxxxxxxxxxxx>
Cc: rik.theys@xxxxxxxxxxxxxxxxxxx
Subject: slapd hangs on ldaps / tls request
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by KULeuven Antivirus Cluster
Delivered-To: submit@xxxxxxxxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Subject: slapd hangs on ldaps / tls request
Package: slapd
Version: 2.1.30-3
Severity: grave
Justification: renders package unusable

Hi,

I've configured slapd to run as non-root user. I've generated a CA
certificate and a certificate for my server.

If I don't use TLS (ldaps) I can query the server and receive the
correct information.

When I query the server using TLS, the slapd service hangs and can only
be stopped using kill -9.

On the client I get the following debug information:

[root@mannochmore openldap]# ldapsearch -x -ZZ -h
cerebro.esat.kuleuven.be -d 256 -b dc=esat,dc=kuleuven,dc=be
request 1 done

and no further output.

On the server I get:

cerebro:/var/lib# /usr/sbin/slapd -h "ldap:/// ldaps:///" -g ldap -u
ldap -d 256
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3,
2003)
bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=12 ACCEPT from IP=10.33.138.9:42084 (IP=0.0.0.0:389)

After receiving a request using TLS/SSL the server stops responding. The
server works fine as long as it doesn't receive a request using TLS/SSL.

I use the bdb backend.
Some relevant items from my slapd.conf:

reverse-lookup on
schemacheck     on
sizelimit       unlimited

# Ciphers to allow
TLSCipherSuite HIGH:MEDIUM:+SSLv2

# Location of the LDAP server certificate
TLSCertificateFile /etc/ldap/certs/cerebro.crt
TLSCertificateKeyFile /etc/ldap/certs/cerebro.key

# The certificate authority file
TLSCACertificateFile /etc/ldap/certs/CA.crt

# Do we ask/verify client certificates?
# See the man page for possible options
TLSVerifyClient Allow

access to attribute=userPassword
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" write
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" read
         by ssf=112 anonymous auth
         by ssf=112 self write
         by * none

# Admin has full write access,
# others have read access
access to *
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=ac,dc=be"
         write
         by domain=".*\.esat\.kuleuven\.ac\.be$" read
         by domain=".*\.esat\.kuleuven\.be$" read
         by * none

First I copied the certificates from a RH server but after regenerating
all certificates the problem persists.

My /etc/default/slapd settings:

SLAPD_CONF=
SLAPD_USER=ldap
SLAPD_GROUP=ldap
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""

All directories and files are readable/writable by the ldap user.

Greetings,

Rik

-- System Information:
Debian Release: 3.1
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages slapd depends on:
ii  coreutils [fileutils]       5.2.1-2      The GNU core utilities
ii  debconf                     1.4.30.10    Debian configuration 
management sy
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared 
libraries an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database 
Libraries [
ii  libgcrypt11                 1.2.0-4      LGPL Crypto library - 
runtime libr
ii  libgnutls11                 1.0.16-9     GNU TLS library - runtime 
library
ii  libgpg-error0               1.0-1        library for common error 
values an
ii  libiodbc2                   3.52.1-2     iODBC Driver Manager
ii  libldap2                    2.1.30-3     OpenLDAP libraries
ii  libltdl3                    1.5.6-3      A system independent dlopen 
wrappe
ii  libsasl2                    2.1.19-1.5   Authentication abstraction 
library
ii  libslp1                     1.0.11-7     OpenSLP libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP 
wrappers libra
ii  perl [libmime-base64-perl]  5.8.4-3      Larry Wall's Practical 
Extraction
ii  psmisc                      21.5-1       Utilities that use the proc 
filesy
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information excluded

-- 
Rik Theys
KU Leuven - Dept. ESAT
Kasteelpark Arenberg 10
B-3001 LEUVEN - HEVERLEE
Tel.: +32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>

---------------------------------------
Received: (at 283511-done) by bugs.debian.org; 5 Dec 2004 08:59:15 +0000
>From jean-christophe.andre@xxxxxxx Sun Dec 05 00:59:15 2004
Return-path: <jean-christophe.andre@xxxxxxx>
Received: from (hoadao.vn.refer.org) [210.245.61.205] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CasEd-00073U-00; Sun, 05 Dec 2004 00:59:15 -0800
Received: from virus.home (unknown [203.210.153.177])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (No client certificate requested)
        by hoadao.vn.refer.org (Postfix) with ESMTP id 0B017395
        for <283511-done@xxxxxxxxxxxxxxx>; Sun,  5 Dec 2004 15:59:12 +0700 (ICT)
Received: by virus.home (Postfix, from userid 1000)
        id 42B7E4287; Sun,  5 Dec 2004 15:58:59 +0700 (ICT)
Date: Sun, 5 Dec 2004 15:58:58 +0700
From: Jean Christophe =?iso-8859-1?Q?ANDR=C9?= <jean-christophe.andre@xxxxxxx>
To: 283511-done@xxxxxxxxxxxxxxx
Subject: Re: slapd hangs on ldaps / tls request
Message-ID: <20041205085858.GA19924@xxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200411292042.48018.Rik.Theys@xxxxxxxxxxxxxxxxxxx>
Organization: Agence universitaire de la Francophonie / Bureau Asie-Pacifique
X-Operating-System: Debian GNU/Linux "Unstable" Kernel 2.6.9-1-686
X-PGP-Key-Fingerprint: B5ED E67B 838D 50CD A122  1716 735B 0443 2B7A DF77
X-PGP-Key-ID: 0x2B7ADF77
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 283511-done@xxxxxxxxxxxxxxx
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_00,BODY_8BITS 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Closed on user request.

Rik, please, next time do it yourself. :-)
See procedure here: http://www.debian.org/Bugs/Developer#closing
-- 
J.C. "ã??ã?­ã?°ã??" ANDRÃ? <jean-christophe.andre@xxxxxxx> 
asie-pacifique.auf.org
Responsable technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoà n Kiếm, Hà N�i, 
Viá»?t Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
� Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   
â?«
â?© ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â?­