| View previous topic :: View next topic |
| Author |
Message |
ryker
Guru
Joined: 28 May 2003
Posts: 412
Location: Portage, IN
|
 Posted: Wed Feb 16, 2005 2:51 pm Post subject: Strange OpenLDAP Problems |
 |
|
I followed this guide for installing OpenLDAP. When I got toward the end for starting the service, it wouldn't start. I have found MANY threads about slapd problems; however, none have addressed this issue.
tail /var/log/messages shows: | Code: | Feb 16 08:43:44 myalbertsrouter slapd[17421]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Feb 16 08:43:44 myalbertsrouter slapd[17421]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Feb 16 08:43:44 myalbertsrouter slapd[17421]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
Feb 16 08:43:44 myalbertsrouter slapd[17421]: main: TLS init def ctx failed: -1
Feb 16 08:43:44 myalbertsrouter slapd[17421]: slapd stopped.
Feb 16 08:43:44 myalbertsrouter slapd[17421]: connections_destroy: nothing to destroy. |
So, from the message, it looked like the port was already in use.
ps aux | grep slapd shows: | Code: | root 17559 0.0 0.2 1444 464 pts/0 S+ 08:46 0:00 grep slapd
|
The confusing part is, the pid (17559 in this case) is constantly changing. So it's like the process keeps getting created and destroyed? Nothing out of the ordinary is in my log unless I run /ect/init.d/slapd start.
Here's my /etc/openldap/slapd.conf: | Code: | include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Use crypt to hash the passwords
password-hash {crypt}
# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
# Further down...
# slapd gentoo init script does'nt make pid correctly
# so we define it here too
pidfile /var/run/openldap/slapd.pid
database ldbm
suffix "dc=homelinux,dc=org"
directory /var/lib/openldap-ldbm
index objectClass eq
rootdn "cn=jamail,dc=homelinux,dc=org"
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
rootpw {MD5}034VdWzT1rJoHV4vMW/vSA== |
/etc/openldap/ldap.conf | Code: | BASE dc=homelinux, dc=org
URI ldaps://jamail.homelinux.org:636/
TLS_REQCERT allow |
/etc/conf.d/slapd: | Code: | | OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" |
and finally, my /etc/ssl/openssl.cnf: | Code: | HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Indiana
stateOrProvinceName_default = Indiana
localityName = Portage
0.organizationName = Johns Server
0.organizationName_default = Johns Server
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = jamail.homelinux.org
commonName_max = 64
emailAddress = alberts@jamail.homelinux.org
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = ldapuserpassword
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = Johns Server
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always |
Sorry about the long post.
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
 |
cselkirk
Apprentice
Joined: 09 Jun 2003
Posts: 199
Location: NL
|
| Posted: Wed Feb 16, 2005 3:33 pm Post subject: Re: Strange OpenLDAP Problems |
|
|
| ryker wrote: | | Code: | Feb 16 08:43:44 myalbertsrouter slapd[17421]: main: TLS init def ctx failed: -1
Feb 16 08:43:44 myalbertsrouter slapd[17421]: slapd stopped. |
|
There is a problem with your TLSCertificateFile, or it doesn't exist.
| ryker wrote: | ps aux | grep slapd shows:
| Code: | | root 17559 0.0 0.2 1444 464 pts/0 S+ 08:46 0:00 grep slapd |
The confusing part is, the pid (17559 in this case) is constantly changing. So it's like the process keeps getting created and destroyed? |
This is not the pid of slapd but of the grep. In future you can use something like the following to return the processes matching the string, but exclude the grep
| Code: | | % ps aux |grep "[s]lapd" |
HTH
_________________
cn=cselkirk,dc=xs4all,dc=nl |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 412
Location: Portage, IN
|
| Posted: Wed Feb 16, 2005 6:09 pm Post subject: |
|
|
| Quote: | | This is not the pid of slapd but of the grep. |
Thanks for the reply.
When I was following the guide, I did seem to have a problem with this part of it: | Code: | # cd /etc/ssl
# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999 |
The guide said I would be prompted to answer questions about the certificate, but I wasn't. So I manually edited /etc/ssl/openssl.cnf.
I posted my openssl.cnf above. Does it look ok? Could this be my problem?
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
cselkirk
Apprentice
Joined: 09 Jun 2003
Posts: 199
Location: NL
|
| Posted: Wed Feb 16, 2005 6:39 pm Post subject: |
|
|
If you manually edited it .cnf file you still won't have created the ldap.pem. The openssl.cnf is just a configuration file, with the values you changed simply changing the defualt values. The command to create the .pem should have worked (that is you should have been asked a number of questions) and I can't think why it didn't, please make sure you typed the command correctly and try again.
_________________
cn=cselkirk,dc=xs4all,dc=nl |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 412
Location: Portage, IN
|
| Posted: Wed Feb 16, 2005 6:56 pm Post subject: |
|
|
The commands I posted above is exactly what I typed in. | Code: | # cd /etc/ssl
# openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999 |
Actually, I copy and pasted it so I knew there were no typos. Is the openssl ... command what you were referring to? It didn't show any errors.
I just tried it again and still no dice. I checked to make sure that /etc/openldap/ssl/ldap.pem is there, and there was an old one there already. I forgot I created one a long time ago for my mail server (on same machine). I deleted the certificate and ran the openssl ... command again. It didn't show any errors, but it also didn't create the ldap.pem file. Shouldn't it have shown some errors at least?
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
cselkirk
Apprentice
Joined: 09 Jun 2003
Posts: 199
Location: NL
|
| Posted: Wed Feb 16, 2005 8:46 pm Post subject: |
|
|
I would say from the sounds of things your openssl is broken. I'm could make guesses as to why (aggresive CFLAGS perhaps?). You did say you edited the .cnf after first trying to run the command unsucessfully?
_________________
cn=cselkirk,dc=xs4all,dc=nl |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 412
Location: Portage, IN
|
| Posted: Thu Feb 17, 2005 12:02 am Post subject: |
|
|
I don't think I have anything set too aggressively. Here's the output of emerge info: | Code: | Portage 2.0.51-r15 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.5-gentoo-r1 i686)
=================================================================
System uname: 2.6.5-gentoo-r1 i686 Pentium III (Katmai)
Gentoo Base System version 1.6.9
Python: dev-lang/python-2.3.4-r1 [2.3.4 (#2, Feb 10 2005, 00:14:03)]
ccache version 2.3 [enabled]
dev-lang/python: 2.3.4-r1
sys-devel/autoconf: 2.59-r6, 2.13
sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4
sys-devel/binutils: 2.15.92.0.2-r2
sys-devel/libtool: 1.5.10-r4
virtual/os-headers: 2.4.22
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://gentoo.chem.wisc.edu/gentoo/ ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 acpi4linux aliaschain apache2 apm berkdb bitmap-fonts clamav cpdflib crypt cups curl curlwrappers dba esd extensions f77 font-server foomaticdb fortran fwdzone gd gdbm gif gpm imagemagick imap ipv6 jpeg ldap libg++ libwww maildir mcal memlimit mime mmx multipleip mysql ncurses nls oav offensive pam pcntl perl php png python qmail readline samba sdl session slang soap spamassassin spell spl sqlite sse ssl svga tcpd tidy tiff tokenizer truetype-fonts type1-fonts vhosts virus-scan vpopmail xml xml2 zlib"
Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS
|
As you can see, my cflags are typical. Of course, I am using ~x86.
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Thu Feb 17, 2005 12:10 am Post subject: |
|
|
http://www.openldap.org/faq/data/cache/652.html 
Regarding the second error - your SSL certificate is incorrect.
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem 
TLSCACertificateFile /etc/ssl/ldap.pem |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 412
Location: Portage, IN
|
| Posted: Thu Feb 17, 2005 12:57 am Post subject: |
|
|
| j-m wrote: | http://www.openldap.org/faq/data/cache/652.html
Regarding the second error - your SSL certificate is incorrect.
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem |
The first error probably is an ipv6 error. Good thing that can be ignored. But for the second problem, this is directly from the guide I followed from my first post. Is this incorrect? I found a program in /etc/ssl/gencert.sh that when I ran, asked me all of the questions and generated an ldap.pem file. I tried copying that to the 2 directories mentioned above, but it still didn't work.
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
