Ubuntu
openldap2.3 package

dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64 - openldap user not in ssl-cert group

Bug #227744 reported by Nick Moffitt
16
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Won't Fix
Low
Unassigned
Hardy
Invalid
Undecided
Unassigned
openldap2.3 (Debian)
Fix Released
Unknown
openldap2.3 (Ubuntu)
Invalid
Low
Unassigned
Hardy
Won't Fix
Undecided
Unassigned

Bug Description

We ran a slapd on Dapper for a long time, and it relied on an SSL cert that we made root-owned 0400 for reasons of our own internal security. Apache happily opens these certs as root and passes the file descriptor along for after it drops privilege to the www-data user. The default install of slapd on Hardy silently refuses to start when we point it at these certificates.

On Dapper, we ran slapd as root, and things worked reasonably well. The Hardy upgrade reconfigured slapd to run as the "openldap" user, which was unable to read the certificates we have.

The problem with this is that there was no indication in the logs or the init script output that this was the reason it would not start. Forcing us to pore through the copious output of the debug mode is a little unreasonable for such a straightforward error condition.

Tags: dapper2hardy
Bug Watch Updater (bug-watch-updater)
Changed in openldap2.3:
status: Unknown → Confirmed
Revision history for this message
Mathias Gug (mathiaz) wrote :

The error message is indeed cryptic:

  main: TLS init def ctx failed: -64

Changed in openldap2.3:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Daniel Betschart (dbet1) wrote : Re: dapper upgrade to hardy: openldap silently refuses to start when unable to open SSL certificates - main: TLS init def ctx failed: -64

Same problem here. I had to recreate the certificates. But not only for openldap, I had to recreate my CA certificate. This means I had to recreate all my server certificates. Not very nice.

Revision history for this message
Morten Siebuhr (msiebuhr) wrote :

Another small problem with it; the AppArmor profile allows reading from /etc/ssl/certs/* and /etc/ssl/private/* - but because of this bug, you have to put the cert elsewhere, forcing one to break the AppArmor profile.

As a temporary solution, the installer could add /etc/ldap/private/, owned by openldap:openldap and modify AppArmor to allow slapd to read from that directory?

Revision history for this message
Christian Hudon (chrish) wrote :

A solution I found is simply to add openldap user to the ssl-cert group, which is the group that is allowed to read certificate key files under /etc/ssl/private, at least in a default hardy install.

Revision history for this message
Mathias Gug (mathiaz) wrote :

The postinst script should check on upgrade from dapper if TLS is used and if so, add the openldap user to the ssl-cert group.

Nominating for Hardy.

Changed in openldap2.3:
status: New → Triaged
Revision history for this message
Mathias Gug (mathiaz) wrote :

Marking invalid for openldap2.3 in intrepid.

Changed in openldap2.3:
status: Triaged → Invalid
Revision history for this message
Mathias Gug (mathiaz) wrote :

The error message should be improved.

Changed in openldap:
importance: Undecided → Low
status: New → Triaged
status: New → Invalid
Revision history for this message
beniwtv (beniwtv-deactivatedaccount) wrote :

I'm running into the same problem on a fresh Hardy server.

However, I see that /etc/ssl/private is owned by root, and no ssl-cert group exists. This is Hardy 8.04.2.

Any thoughts?

Revision history for this message
Mathias Gug (mathiaz) wrote :

Marking won't fix in the development release. This is an issue related to upgrades from dapper to hardy.

Adding the openldap to the ssl-cert group by default is not an option.

Changed in openldap:
status: Triaged → Won't Fix
Revision history for this message
Mark Foster (fostermarkd) wrote :

> Adding the openldap to the ssl-cert group by default is not an option
Please explain why.
Is it a technical reason or a policy reason?
Thanks.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It is not a good idea to add the user by default because not all openldap installations require it. If the user were added to the group by default, the openldap user could end up with access to highly sensitive data when it doesn't even need it for itself, possibly without the admin knowing about it. That said, the error message should be more clear IMHO, and possibly detected during upgrade.

Clint Byrum (clint-fewbar)
tags: added: dapper2hardy
Revision history for this message
Rolf Leggewie (r0lf) wrote :

Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix".

Changed in openldap2.3 (Ubuntu Hardy):
status: Triaged → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in openldap2.3 (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.