[ale] TLS suddenly stops working with slapd

Lightner, Jeff JLightner at water.com
Fri Dec 9 11:51:18 EST 2011


Did you reboot yesterday?  Maybe the setting done on the 5th didn't take effect until you rebooted or restarted something?





-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of John Heim
Sent: Friday, December 09, 2011 11:44 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] TLS suddenly stops working with slapd

It turned out being this line in my slapd.conf:

TLSVerifyClient allow

I commented it ount and now it works again. But I am absolutely certain that
I didn't change that setting yesterday. I checked the modification date on
the file and it was December 5.



----- Original Message -----
From: "Jim Kinney" <jim.kinney at gmail.com>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Thursday, December 08, 2011 8:41 PM
Subject: Re: [ale] TLS suddenly stops working with slapd


> Run tcpdump on the connection. It sounds like the handshake failed but you
> need more data to verify.
> On Dec 8, 2011 8:21 PM, "John Heim" <john at johnheim.net> wrote:
>
>> Hi,
>> I have an openldap server that suddenly stopped accepting TLS
>> connections.
>> One minute, I could do an ldapsearch against it with TLS and the next I
>> couldn't. I was trying to write an update script at the time. But could a
>> corrupt database calse TLS to fail?
>>
>> ldapsearch -x -ZZ -H ldap://hubble.example.com "uid=jheim"
>>
>> That command hangs. Does not exit. And the logs say "TLS negotiation
>> failure". But it used to work. If there is something wrong with my cert,
>> why
>> did it used to work?  I even rebooted the ldap server, no joy.
>>
>> === before ---
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 ACCEPT from
>> IP=144.92.166.12:41021 (IP=0.0.0.0:389)
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 EXT
>> oid=1.3.6.1.4.1.1466.20037
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 STARTTLS
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 RESULT oid= err=0
>> text=
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 TLS established
>> tls_ssf=128 ssf=128
>> Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=1 BIND
>> dn="cn=root,ou=ldapusers,dc=math,dc=wisc,dc=edu" method=128
>>
>> === After ===
>> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 fd=18 ACCEPT from
>> IP=144.92.166.12:37619 (IP=0.0.0.0:389)
>> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 EXT
>> oid=1.3.6.1.4.1.1466.20037
>> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 STARTTLS
>> Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 RESULT oid= err=0
>> text=
>> Dec  8 19:05:07 hubble slapd[3521]: conn=1006 fd=18 closed (TLS
>> negotiation
>> failure)
>>
>>
>> root at hubble:~/tmp# dpkg -p slapd
>> Package: slapd
>> Priority: optional
>> Section: net
>> Installed-Size: 4092
>> Maintainer: Debian OpenLDAP Maintainers
>> <pkg-openldap-devel at lists.alioth.debian.
>> org>
>> Architecture: amd64
>> Source: openldap
>> Version: 2.4.25-3
>> Replaces: ldap-utils (<< 2.2.23-3), libldap2
>> Provides: ldap-server, libslapi-2.4-2
>> Depends: libc6 (>= 2.12), libdb5.1, libgcrypt11 (>= 1.4.6), libgnutls26
>> (>=
>> 2.12
>> .6.1-0), libldap-2.4-2 (= 2.4.25-3), libltdl7 (>= 2.4), libperl5.12 (>=
>> 5.12.4),
>>  libsasl2-2, libslp1, libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11),
>> coreutils
>> (>=
>> 4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser,
>> lsb-base
>> (>= 3
>> .2-13), libdb4.8 (>= 4.8.30)
>> Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support
>> Recommends: libsasl2-modules
>> Suggests: ldap-utils
>> Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
>> Size: 1643524
>> Description: OpenLDAP server (slapd)
>>  This is the OpenLDAP (Lightweight Directory Access Protocol) server
>>  (slapd). The server can be used to provide a standalone directory
>>  service.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>


--------------------------------------------------------------------------------


> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------




More information about the Ale mailing list