Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 455982

Summary: net-nds/openldap-2.4.33-r1 with dev-libs/openssl-1.0.1d - ldapsearch: Cannot contact LDAP server (-1)
Product: Gentoo Linux Reporter: Olaf Lessenich <olaf.lessenich>
Component: Current packagesAssignee: Gentoo LDAP project <ldap-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: olaf.lessenich
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: /etc/ldap.conf
/etc/openldap/ldap.conf

Description Olaf Lessenich 2013-02-07 10:40:09 UTC 
After upgrading from dev-libs/openssl-1.0.1c to dev-libs/openssl-1.0.1d, querying an LDAP server via ldaps fails.

Reproducible: Always

Steps to Reproduce:
1. Upgrade a system using net-nds/openldap-2.4.33-r1 from dev-libs/openssl-1.0.1c to dev-libs/openssl-1.0.1d
2. Try to query an LDAP-server via ldaps, e.g. by running 'ldapsearch'
Actual Results:  
Can't contact LDAP server (-1)

Expected Results:  
Establishing the connection with the LDAP-server using ldaps and performing the request

$ ldapsearch -d9 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP @@server-hostname@@:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying @@server-ip@@:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, err: 19, subject: @@server-cert-info@@
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x20e2650 msgid 1
wait4msg ld 0x20e2650 msgid 1 (infinite timeout)
wait4msg continue ld 0x20e2650 msgid 1 all 1
** ld 0x20e2650 Connections:
* host: @@server-hostname@@  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Feb  7 11:22:45 2013


** ld 0x20e2650 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x20e2650 request count 1 (abandoned 0)
** ld 0x20e2650 Response Queue:
   Empty
  ld 0x20e2650 response count 0
ldap_chkResponseList ld 0x20e2650 msgid 1 all 1
ldap_chkResponseList returns ld 0x20e2650 NULL
ldap_int_select
read1msg: ld 0x20e2650 msgid 1 all 1
ber_get_next
TLS trace: SSL3 alert write:fatal:bad record mac
ber_get_next failed.
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

$ emerge --info
Portage 2.1.11.50 (default/linux/amd64/10.0/desktop, gcc-4.6.3, glibc-2.16.0, 3.7.5 x86_64)
=================================================================
System uname: Linux-3.7.5-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.2
KiB Mem:     8176852 total,    624408 free
KiB Swap:    4194300 total,   4193148 free
Timestamp of tree: Thu, 07 Feb 2013 01:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p42
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r3::<unknown repository>, 3.2.3-r2
dev-util/cmake:           2.8.10.2-r1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.1
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo x-overlays
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=x86-64 -pipe -mmmx -msse -msse2 -mssse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=x86-64 -pipe -mmmx -msse -msse2 -mssse3"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlays"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 avahi berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds python qt3support qt4 readline sdl session spell spice sse sse2 sse3 ssl ssse3 startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xcb xft xinerama xml xv xvid zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Olaf Lessenich 2013-02-07 10:44:54 UTC 
Created attachment 338202 [details]
/etc/ldap.conf
Comment 2 Olaf Lessenich 2013-02-07 10:47:19 UTC 
Comment on attachment 338202 [details]
/etc/ldap.conf

>base dc=@@subdomain@@,dc=@@domain@@,dc=@@tld@@
>uri ldaps://@@server-hostname@@/
>ldap_version 3
>pam_password exop
>nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,root,sshd,statd,sync,sys,syslog,uucp,whoopsie,www-data
Comment 3 Olaf Lessenich 2013-02-07 10:48:47 UTC 
Created attachment 338204 [details]
/etc/openldap/ldap.conf
Comment 4 Olaf Lessenich 2013-02-07 10:59:22 UTC 
My current workaround is downgrading to dev-libs/openssl-1.0.1c which fixes the issue for me.
Comment 5 Ryan Hill (RETIRED) gentoo-dev 2013-02-08 01:07:13 UTC 

*** This bug has been marked as a duplicate of bug 456108 ***