ldap tls refusing to initialize

On Fri, Aug 28, 2009 at 02:38:46AM -0000, PeterNSteinmetz wrote:
> At the end of copious output is:
>
> main: TLS init def ctx failed: -1
> slapd destroy: freeing system resources.
> slapd stopped.
>
> This is with entries in /etc/ldap/slapd.d/cn=config.ldif like:
>
> olcTLSCACertificateFile: /home/peter/CA/server-ca-cert.pem
> olcTLSCertificateFile: /home/peter/CA/server-gnutls-cert.pem
> olcTLSCertificateKeyFile: /home/peter/CA/server-gnutls-key.pem
>

You're using a non-standard location for your certificates. Thus slapd
apparmor profile needs to be updated.

See https://wiki.ubuntu.com/DebuggingApparmor for more information.

  status invalid

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Thanks Mr. Gug. I checked this, placing the apparmor profile into complain mode with sudo aa-complain /usr/sbin/slapd.

The same problem occurs with an attempt to start slapd, but there are no entries in /var/log/kern.log associated and no audit entries.

I also moved the certificates and keys generated using gnutls into /etc/ssl/certs and /etc/ssl/private. Still the same problem with no audit entries in the /var/log/kern.log.

I'm not quite certain what is meant by standard locations, since https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html says to put then in /etc/ssl/certs and /etc/ssl/private under the TLS and SSL sections, though I am happy to try moving them anywhere that may help.

Is there some setting I should be using to get more information out of gnutls about what may be going on?

thanks,
Peter

I do confirm this.

And: Howard Chu still explains NOT TO USE GNUTLS with openldap! It is broken by design! Do not wonder for strange behavior, if you do not trust the core developers.

http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

I have asked Howard a couple of days ago and he still stays at his opinion. I think Debian/Ubuntu should not make changes from openssl to gnutls!

For this bug:

...
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
main: TLS init failed: 0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

And by the way: My certs are under /ca/ldapmaster.roessner-net.com

My profile for apparmor was working under intrepid. Upgrading from intrepid to jaunty does not work.

# Last Modified: Tue Sep 2 13:08:01 2008
# Author: Jamie Strandboge <email address hidden>

#include <tunables/global>
/usr/sbin/slapd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  /ca/cacert_org.crt r,
  /ca/ldapmaster.roessner-net.de/newcert.pem r,
  /ca/ldapmaster.roessner-net.de/newkey.pem r,
  /etc/gai.conf r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/ldap/ldap.conf r,
  /etc/ldap/schema/* r,
  /etc/ldap/slapd.conf r,
  /etc/sasldb2 r,
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,
  /usr/lib/ldap/ r,
  /usr/lib/ldap/* mr,
  /usr/sbin/slapd mr,
  /var/lib/ldap/ r,
  /var/lib/ldap/* rw,
  /var/lib/ldap-ov/accesslog r,
  /var/lib/ldap-ov/accesslog/* rw,
  /var/lib/ldap/alock kw,
  /var/lib/ldap-ov/accesslog/alock kw,
  /var/run/slapd/* w,
}

No dmesg output that points to problems.

Interesting that there is the TLS complaint through "TLS: gcry_control ..."

Nothing like that in mine. I was looking through the source a bit last night on this. It seems that the TLS init call is returning a -1 error code under some circumstances without really throwing another error message.

Despite the problems with gnutls, it seems the ubuntu folks are committed to staying with it for licensing reasons.

Ok, I finally got it work. I had purged slapd completely and removed all
of its /var/lib/ldap/* stuff as well as the slapd.d directory
under /etc/ldap.

After that I tried to install slapd. Same error! So I really wondered
how a fresh install could present me with the same error message,
although there was absolutely no TLS support, yet. And then I got it: I
had a look inside /etc/ldap/ldap.conf, which was the only file left from
the previous installation:

TLS_RANDFILE /dev/urandom

was the problem. I simply removed this tag. Then I put back my saved
backup from intrepid (including overlays and TLS support), started slapd
and now everything is working as expected. So my guess is that this
option is broken under jaunty. It is unnecessary, because the man page
tells that /dev[u]random is looked automatically. But this got broken
from intrepid to jaunty.

Interesting. My version also was an upgrade from hardy->intrepid->jaunty. My /etc/ldap/ldap.conf doesn't contain a line about TLS_RANDFILE though, and my install doesn't report the TLS: gcry_control error, rather, there is nothing other than the "main: TLS init def ctx failed: -1" complaint. I suspect these may be related problems, at least in the sense of hard to tell what is going wrong during initialization.

I will likely later this weekend try to clear aside configuration and try a local build of openldap with debugging for gdb turned on and built against gnutls.

Same here. I have a vanilla Januty install (Atom-330 with 64-bit Januty, if this makes any difference) and following the above instructions that Peter referenced fails for me with the same error and my ldap.conf also doesn't have this TLS_RANDFILE set.

Playing around with the source today and debugging slapd with gdb.

It appears that much of the pain here is in tls_g.c, the wrappers for gnutls. The function tlsg_ctx_init in particular. This is where, at least for my configuration, most of the failures are occurring. And the code in this function often makes a call onto a gnutls function, as in:

 if (lo->ldo_tls_cacertfile != NULL) {
  rc = gnutls_certificate_set_x509_trust_file(
   ctx->cred,
   lt->lt_cacertfile,
   GNUTLS_X509_FMT_PEM );
  if ( rc < 0 ) return -1;
 }

and doesn't really do anything with the return code. There are 3 places in tlsg_ctx_init where this occurs with no logging of what the actual error code was. It just returns -1, rather than a more specific error code. Upshot is that we simply get a -1 error code in the log with no further advice on the specific problem.

The code in tls_o.c for this function and others seems better developed and reports more useful error codes.

With a self-signed certificate, and setting only the olcTLSCertificateFile
olcTLSCertificateKeyFile, the server works and does answer properly when trying with a command on another machine like:

openssl s_client -connect <ldapServerIP>:636 -showcerts

If oldTLSCACertificateFile is set to the self-signed certificate, slapd fails to initialize TLS.

I suspect most of the problems being reported are due to configuration issues, like those reported by Christian R. Without better error output, it is very difficult to figure these out.

Now I'd be delighted to try and add more debugging and produce a patch; however, perhaps I can get a bit of help with the packaging?

I've been able to get the source with 'apt-get source libldap-2.4-2', and go in change the debian/configure.options, followed by a 'debchange -i' and 'debuild -us -uc -i -I', then a 'sudo debi', and get a version with debugging symbols installed.

What has been eluding me (after reading the HOWTO and several other tutorials), is how to get changes in the source to build into the package properly when installed and how to get other Debug statements to work (though perhaps that is just because the packaging isn't working right, since the machine language statements in the debugger don't agree with the source listed in gdb, ouch). With a -nc option on debuild it builds, but likely isn't actually including the changes. Without the -nc, it complains about the upstream patches not being able to be applied.

Hopefully someone can point me to the correct descriptions or give me some help on this one.

Of course, a fixed up package with better error output from one of the openldap gurus would be most welcome!

thanks,
Peter

In the meantime, does anybody have a work-around for this? I've hit this problem on a vanilla Ubuntu 9.04 server install and can't get past it!

Yes, continues to be annoying.

One thing to do is to carefully verify the certificate chain you have configured for LDAP use. If the certificate is self-signed, then don't configure the olcCACertificateFile item. Otherwise, make sure the CA signing the certificate has its certificate in this property.

Well, after much pain and suffering for me it turned out to be a simple permissions problem. I believe the how-to should be changed to ensure this doesn't happen to anyone else. Problem was that my private keyfile did not provide read permissions to the group.

sudo chmod g+r /etc/ssl/private/myserver.key

and viola...everything works.

Thanks Dave. I agree about the docs on this. Can you comment on which howto you were using?

I was using the how-to referenced by the OP. I was also using this one on certificates.

https://help.ubuntu.com/9.04/serverguide/C/certificates-and-security.html

What got me messed up was a small, but important point that got lost between the two how-tos. The LDAP how-to takes advantage of the group ssl-cert which has read privileges on /etc/ssl/private. They had the nifty idea of putting the openldap account into the ssc-cert group.

The certificate how-to says to put the key into the /etc/ssl/private. This is fine, but while the /etc/ssl/private folder was readable by openldap, the new copied keyfile was not. Unfortunately for me (and probably others) the only error I got was the one the OP was also getting.

A trick I discovered can help:

become root: sudo -i
become openldap: su openldap
check priviledges: cat /etc/ssl/private/nameofmyserver.key

It helped me track down the answer.

For the time being, I posted an update for the network-auth.xml in ubuntu-docs.

https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/437483

Marking this bug as invalid - seems that most of the issues reported here are configuration issues: file permissions, apparmor profile, certifcates chain.