Bug #10775 “slapd hangs on ldaps / tls request” : Bugs : openldap2.2 package : Ubuntu

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-29:

#1

Automatically imported from Debian bug report #283511 http://bugs.debian.org/283511

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-29:

#2

Download full text (4.4 KiB)

Message-ID: <email address hidden>
Date: Mon, 29 Nov 2004 16:39:43 +0100
From: Rik Theys <email address hidden>
To: "Debian Bug Tracking System" <email address hidden>
Cc: <email address hidden>
Subject: slapd hangs on ldaps / tls request

Subject: slapd hangs on ldaps / tls request
Package: slapd
Version: 2.1.30-3
Severity: grave
Justification: renders package unusable

Hi,

I've configured slapd to run as non-root user. I've generated a CA
certificate and a certificate for my server.

If I don't use TLS (ldaps) I can query the server and receive the
correct information.

When I query the server using TLS, the slapd service hangs and can only
be stopped using kill -9.

On the client I get the following debug information:

[root@mannochmore openldap]# ldapsearch -x -ZZ -h
cerebro.esat.kuleuven.be -d 256 -b dc=esat,dc=kuleuven,dc=be
request 1 done

and no further output.

On the server I get:

cerebro:/var/lib# /usr/sbin/slapd -h "ldap:/// ldaps:///" -g ldap -u
ldap -d 256
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3,
2003)
bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=12 ACCEPT from IP=10.33.138.9:42084 (IP=0.0.0.0:389)

After receiving a request using TLS/SSL the server stops responding. The
server works fine as long as it doesn't receive a request using TLS/SSL.

I use the bdb backend.
Some relevant items from my slapd.conf:

reverse-lookup on
schemacheck on
sizelimit unlimited

# Ciphers to allow
TLSCipherSuite HIGH:MEDIUM:+SSLv2

# Location of the LDAP server certificate
TLSCertificateFile /etc/ldap/certs/cerebro.crt
TLSCertificateKeyFile /etc/ldap/certs/cerebro.key

# The certificate authority file
TLSCACertificateFile /etc/ldap/certs/CA.crt

# Do we ask/verify client certificates?
# See the man page for possible options
TLSVerifyClient Allow

access to attribute=userPassword
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" write
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" read
         by ssf=112 anonymous auth
         by ssf=112 self write
         by * none

# Admin has full write access,
# others have read access
access to *
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=ac,dc=be"
         write
         by domain=".*\.esat\.kuleuven\.ac\.be$" read
         by domain=".*\.esat\.kuleuven\.be$" read
         by * none

First I copied the certificates from a RH server but after regenerating
all certificates the problem persists.

My /etc/default/slapd settings:

SLAPD_CONF=
SLAPD_USER=ldap
SLAPD_GROUP=ldap
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""

All directories and files are readable/writable by the ldap user.

Greetings,

Rik

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages slapd depends on:
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii debconf 1.4.30.10 Debian configuration
management sy
ii l...

Message-ID: <41AB42BF.7090107@esat.kuleuven.ac.be>
Date: Mon, 29 Nov 2004 16:39:43 +0100
From: Rik Theys <rik.theys@esat.kuleuven.ac.be>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
Cc: rik.theys@esat.kuleuven.ac.be
Subject: slapd hangs on ldaps / tls request

Subject: slapd hangs on ldaps / tls request
Package: slapd
Version: 2.1.30-3
Severity: grave
Justification: renders package unusable

Hi,

I've configured slapd to run as non-root user. I've generated a CA
certificate and a certificate for my server.

If I don't use TLS (ldaps) I can query the server and receive the
correct information.

When I query the server using TLS, the slapd service hangs and can only
be stopped using kill -9.

On the client I get the following debug information:

[root@mannochmore openldap]# ldapsearch -x -ZZ -h
cerebro.esat.kuleuven.be -d 256 -b dc=esat,dc=kuleuven,dc=be
request 1 done

and no further output.

On the server I get:

cerebro:/var/lib# /usr/sbin/slapd -h "ldap:/// ldaps:///" -g ldap -u
ldap -d 256
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3,
2003)
bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=12 ACCEPT from IP=10.33.138.9:42084 (IP=0.0.0.0:389)

After receiving a request using TLS/SSL the server stops responding. The
server works fine as long as it doesn't receive a request using TLS/SSL.

I use the bdb backend.
Some relevant items from my slapd.conf:

reverse-lookup on
schemacheck     on
sizelimit       unlimited

# Ciphers to allow
TLSCipherSuite HIGH:MEDIUM:+SSLv2

# Location of the LDAP server certificate
TLSCertificateFile /etc/ldap/certs/cerebro.crt
TLSCertificateKeyFile /etc/ldap/certs/cerebro.key

# The certificate authority file
TLSCACertificateFile /etc/ldap/certs/CA.crt

# Do we ask/verify client certificates?
# See the man page for possible options
TLSVerifyClient Allow

access to attribute=userPassword
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" write
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=be" read
         by ssf=112 anonymous auth
         by ssf=112 self write
         by * none

# Admin has full write access,
# others have read access
access to *
         by ssf=112 dn="cn=admin,ou=DSA,dc=esat,dc=kuleuven,dc=ac,dc=be"
         write
         by domain=".*\.esat\.kuleuven\.ac\.be$" read
         by domain=".*\.esat\.kuleuven\.be$" read
         by * none

First I copied the certificates from a RH server but after regenerating
all certificates the problem persists.

My /etc/default/slapd settings:

SLAPD_CONF=
SLAPD_USER=ldap
SLAPD_GROUP=ldap
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap:/// ldaps:///"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""

All directories and files are readable/writable by the ldap user.

Greetings,

Rik

-- System Information:
Debian Release: 3.1
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages slapd depends on:
ii  coreutils [fileutils]       5.2.1-2      The GNU core utilities
ii  debconf                     1.4.30.10    Debian configuration 
management sy
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared 
libraries an
ii  libdb4.2                    4.2.52-17    Berkeley v4.2 Database 
Libraries [
ii  libgcrypt11                 1.2.0-4      LGPL Crypto library - 
runtime libr
ii  libgnutls11                 1.0.16-9     GNU TLS library - runtime 
library
ii  libgpg-error0               1.0-1        library for common error 
values an
ii  libiodbc2                   3.52.1-2     iODBC Driver Manager
ii  libldap2                    2.1.30-3     OpenLDAP libraries
ii  libltdl3                    1.5.6-3      A system independent dlopen 
wrappe
ii  libsasl2                    2.1.19-1.5   Authentication abstraction 
library
ii  libslp1                     1.0.11-7     OpenSLP libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP 
wrappers libra
ii  perl [libmime-base64-perl]  5.8.4-3      Larry Wall's Practical 
Extraction
ii  psmisc                      21.5-1       Utilities that use the proc 
filesy
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information excluded

-- 
Rik Theys
KU Leuven - Dept. ESAT
Kasteelpark Arenberg 10
B-3001 LEUVEN - HEVERLEE
Tel.: +32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>

Revision history for this message

In Debian Bug tracker #283511, Rik Theys (rik-theys) wrote on 2004-11-29: resource temporarily unavailable

#3

Hi,

After changing the TLSVerifyClient option to "never", the client receives some
of the data, after which the process stalls and after a few seconds more data
comes. Then it stalls again ...

I've started slapd with -d 2 and it shows a resouce temporarily unavailable

tls_read: want=5 error=Resource temporarily unavailable

I probably misconfigured something :-(.
I don't think it's a bug though, so you can close it.

--
Rik Theys
KU Leuven - ESAT
Kasteelpark Arenberg 10
B-3001 LEUVEN - HEVERLEE
Tel.: +32(0)16 32 11 07

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-29:

#4

Message-Id: <email address hidden>
Date: Mon, 29 Nov 2004 20:42:47 +0100
From: Rik Theys <email address hidden>
To: <email address hidden>
Subject: resource temporarily unavailable

Hi,

After changing the TLSVerifyClient option to "never", the client receives some
of the data, after which the process stalls and after a few seconds more data
comes. Then it stalls again ...

I've started slapd with -d 2 and it shows a resouce temporarily unavailable

tls_read: want=5 error=Resource temporarily unavailable

I probably misconfigured something :-(.
I don't think it's a bug though, so you can close it.

--
Rik Theys
KU Leuven - ESAT
Kasteelpark Arenberg 10
B-3001 LEUVEN - HEVERLEE
Tel.: +32(0)16 32 11 07

Revision history for this message

In Debian Bug tracker #283511, Jean Christophe André (progfou) wrote on 2004-12-05:

#5

Closed on user request.

Rik, please, next time do it yourself. :-)
See procedure here: http://www.debian.org/Bugs/Developer#closing
--
J.C. "プログフ" ANDRÉ <email address hidden> asie-pacifique.auf.org
Responsable technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-05:

#6

Message-ID: <email address hidden>
Date: Sun, 5 Dec 2004 15:58:58 +0700
From: Jean Christophe =?iso-8859-1?Q?ANDR=C9?= <email address hidden>
To: <email address hidden>
Subject: Re: slapd hangs on ldaps / tls request

Closed on user request.

Rik, please, next time do it yourself. :-)
See procedure here: http://www.debian.org/Bugs/Developer#closing
--
J.C. "プログフ" ANDRÉ <email address hidden> asie-pacifique.auf.org
Responsable technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Revision history for this message

Matt Zimmerman (mdz) wrote on 2004-12-24:

#7

Closed upstream

Bug Watch Updater (bug-watch-updater) on 2006-09-27

Changed in openldap2.2:
status:	Unknown → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	openldap2.2 (Debian)	Fix Released	Unknown	debbugs #283511
	openldap2.2 (Ubuntu)	Invalid	High	Unassigned

Ubuntu
openldap2.2 package

slapd hangs on ldaps / tls request

Bug Description

Other bug subscribers

Remote bug watches

Ubuntuopenldap2.2 package

slapd hangs on ldaps / tls request

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
openldap2.2 package