[ale] TLS suddenly stops working with slapd

John Heim john at johnheim.net
Thu Dec 8 20:20:40 EST 2011 

Hi,
I have an openldap server that suddenly stopped accepting TLS connections. 
One minute, I could do an ldapsearch against it with TLS and the next I 
couldn't. I was trying to write an update script at the time. But could a 
corrupt database calse TLS to fail?

ldapsearch -x -ZZ -H ldap://hubble.example.com "uid=jheim"

That command hangs. Does not exit. And the logs say "TLS negotiation 
failure". But it used to work. If there is something wrong with my cert, why 
did it used to work?  I even rebooted the ldap server, no joy.

=== before ---
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 ACCEPT from 
IP=144.92.166.12:41021 (IP=0.0.0.0:389)
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 STARTTLS
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=0 RESULT oid= err=0 text=
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 fd=33 TLS established 
tls_ssf=128 ssf=128
Dec  8 13:43:06 hubble slapd[28456]: conn=45701 op=1 BIND 
dn="cn=root,ou=ldapusers,dc=math,dc=wisc,dc=edu" method=128

=== After ===
Dec  8 19:04:43 hubble slapd[3521]: conn=1006 fd=18 ACCEPT from 
IP=144.92.166.12:37619 (IP=0.0.0.0:389)
Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 STARTTLS
Dec  8 19:04:43 hubble slapd[3521]: conn=1006 op=0 RESULT oid= err=0 text=
Dec  8 19:05:07 hubble slapd[3521]: conn=1006 fd=18 closed (TLS negotiation 
failure)


root at hubble:~/tmp# dpkg -p slapd
Package: slapd
Priority: optional
Section: net
Installed-Size: 4092
Maintainer: Debian OpenLDAP Maintainers 
<pkg-openldap-devel at lists.alioth.debian.
org>
Architecture: amd64
Source: openldap
Version: 2.4.25-3
Replaces: ldap-utils (<< 2.2.23-3), libldap2
Provides: ldap-server, libslapi-2.4-2
Depends: libc6 (>= 2.12), libdb5.1, libgcrypt11 (>= 1.4.6), libgnutls26 (>= 
2.12
.6.1-0), libldap-2.4-2 (= 2.4.25-3), libltdl7 (>= 2.4), libperl5.12 (>= 
5.12.4),
 libsasl2-2, libslp1, libwrap0 (>= 7.6-4~), unixodbc (>= 2.2.11), coreutils 
(>=
4.5.1-1), psmisc, perl (>> 5.8.0) | libmime-base64-perl, adduser, lsb-base 
(>= 3
.2-13), libdb4.8 (>= 4.8.30)
Pre-Depends: debconf (>= 0.5) | debconf-2.0, multiarch-support
Recommends: libsasl2-modules
Suggests: ldap-utils
Conflicts: ldap-server, libltdl3 (= 1.5.4-1), umich-ldapd
Size: 1643524
Description: OpenLDAP server (slapd)
 This is the OpenLDAP (Lightweight Directory Access Protocol) server
 (slapd). The server can be used to provide a standalone directory
 service.

More information about the Ale mailing list