Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85043 - OpenLDAP won't start with SSL/TLS
Summary: OpenLDAP won't start with SSL/TLS
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-12 23:55 UTC by Pupeno
Modified: 2005-03-13 19:23 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pupeno 2005-03-12 23:55:14 UTC 
I've tried about 20 different ways (scripts, by hand, types) of generating keys and certificates for SSL and no matter what I do, or how I configure OpenLDAP, I always get the same SSL error:
Mar 10 16:56:13 master slapd[6814]: main: TLS init def ctx failed: -1
and slapd refuses to start.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




I configure slapd more or less like this: 
 
TLSCertificateFile /etc/certificates/server.crt 
TLSCertificateKeyFile /etc/certificates/server.key 
 
and the full error is: 
 
Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97 
(Address family not supported by protocol) 
Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97 
(Address family not supported by protocol) 
Mar 10 16:56:13 master slapd[6814]: sql_select option missing 
Mar 10 16:56:13 master slapd[6814]: auxpropfunc error no mechanism available 
Mar 10 16:56:13 master slapd[6814]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: sql 
Mar 10 16:56:13 master slapd[6814]: bdb_initialize: Sleepycat Software: 
Berkeley DB 4.1.25: (December 19, 2002) 
Mar 10 16:56:13 master slapd[6814]: bdb_db_init: Initializing BDB database 
Mar 10 16:56:13 master slapd[6814]: main: TLS init def ctx failed: -1 
Mar 10 16:56:13 master slapd[6814]: slapd stopped. 
Mar 10 16:56:13 master slapd[6814]: connections_destroy: nothing to destroy. 
 
 
And the emerge info: 
# emerge info 
Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.3.5, 
glibc-2.3.4.20040808-r1, 2.6.10-gentoo-r6 i686) 
================================================================= 
System uname: 2.6.10-gentoo-r6 i686 AMD Sempron(tm)   2400+ 
Gentoo Base System version 1.4.16 
Python:              dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar  8 2005, 
17:24:17)] 
dev-lang/python:     2.3.4-r1 
sys-devel/autoconf:  2.13, 2.59-r6 
sys-devel/automake:  1.5, 1.6.3, 1.4_p6, 1.9.4, 1.8.5-r3, 1.7.9-r1 
sys-devel/binutils:  2.15.92.0.2-r1 
sys-devel/libtool:   1.4.3-r4, 1.5.10-r4 
virtual/os-headers:  2.4.22-r1 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" 
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo 
http://gentoo.eliteitminds.com ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ 
http://www.gigaload.org/gentoo.org/" 
LANG="en_US.UTF-8" 
LC_ALL="en_US.UTF-8" 
MAKEOPTS="-j2" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
USE="x86 apache2 apm arts authdaemond avi bash-completion berkdb bitmap-fonts 
bzlib crypt curlcurlwrappers emacs emboss encode ethereal fam font-server 
foomaticdb fortran ftp gd gdbm gif gnome imagemagick imap imlib inifile innodb 
ipv6 jabber jpeg ldap libg++ libwww mad mbox mhash mikmod mime mng motif mp3 
mpeg mysql mysqli ncurses nls ogg oggvorbis opengl oss pam pcre pdflibperl php 
png posix python quicktime readline sasl sdl session sharedext simplexml spell 
ssl svg svga tcpd threads tidy tiff truetype truetype-fonts type1-fonts unicode 
vda vhosts wmf xml xml2 xmlrpc xsl xv zlib" 
Unset:  ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-13 00:11:30 UTC 
Hi Pupeno,

This error is a SASL error, not an SSL error.

I don't use SASL myself (just plain SSL).
The error:
Mar 10 16:56:13 master slapd[6814]: sql_select option missing 
Mar 10 16:56:13 master slapd[6814]: auxpropfunc error no mechanism available 
Mar 10 16:56:13 master slapd[6814]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql 

Suggests to me that your SASL is misconfigured/broken, as it appears to doing something with SQL.
Comment 2 Pupeno 2005-03-13 09:36:58 UTC 
Yes, there are SASL errors, but I ignored them since I'm not trying to use SASL. There's no SASL-related configuration on openldap and the rest of the SASL-configuration is the default one shipped with Gentoo. I'm not running saslauthd either.
What might be causing the error then ?
Comment 3 Pupeno 2005-03-13 11:06:56 UTC 
Note, while this is the error that I get in a TLS/SSL failed start up:

Mar 13 14:04:24 master slapd[8935]: sql_select option missing
Mar 13 14:04:24 master slapd[8935]: auxpropfunc error no mechanism available
Mar 13 14:04:24 master slapd[8935]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 13 14:04:24 master slapd[8935]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Mar 13 14:04:24 master slapd[8935]: bdb_db_init: Initializing BDB database
Mar 13 14:04:24 master slapd[8935]: main: TLS init def ctx failed: -1
Mar 13 14:04:24 master slapd[8935]: slapd stopped.
Mar 13 14:04:24 master slapd[8935]: connections_destroy: nothing to destroy.

this is what I got in a non-SSL/TLS sucesful start up:

Mar 13 14:02:11 master slapd[8851]: sql_select option missing
Mar 13 14:02:11 master slapd[8851]: auxpropfunc error no mechanism available
Mar 13 14:02:11 master slapd[8851]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 13 14:02:11 master slapd[8851]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Mar 13 14:02:11 master slapd[8851]: bdb_db_init: Initializing BDB database
Mar 13 14:02:11 master slapd[8852]: slapd starting

I've touched the configurations as little as possible. This is happening with the out-of-the-box Gentoo configuration.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-13 12:16:02 UTC 
Firstly, go and compile openldap with USE=-sasl (via /etc/portage/package.use)
then run '/usr/lib/openldap/slapd -u ldap -g ldap -d 65535' to get a more detailed error log, and attach that here.
Comment 5 Pupeno 2005-03-13 19:18:12 UTC 
I've run slapd with your command, and I've analized the output. It said it didn't have access to the file. I've checked and re-checked, I was sure it was ok, but, I was missing execute privileges in the directory where the certificates are. It was my mistake and I'm sorry for all the trouble.
Anyway, I'll submit this bug to the OpenLDAP devs, showing this error line:

TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:278

would have been much better than showing this error line:

main: TLS init def ctx failed: -1

Thank you. I think you can now close this bug report.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-13 19:23:37 UTC 
Thanks, marking as invalid since it isn't a bug in openldap (beyond the useless error message).