# ldap tls problem when using nss_ldap

## moredhas

Have run into a problem here with my OpenLDAP installation.

I have a functioning directory with TLS support set up and verified by using ldapsearch with the -ZZ flags. As I am in the process of building and testing a LDAP/Samba domain system the next step is to add nss_ldap support. Problem is that after adding the ldap directives to my nsswitch.conf I have found that if I try to restart the slapd daemon tls stops working.

The problem seems to be connected to running the slapd daemon as a non-root user, runing the daemon manually like this:

```

/usr/lib/openldap/slapd -d 296 -l local6 -h "ldap:/// ldaps:///"

```

Works, whereas running as the ldap user like this:

```

/usr/lib/openldap/slapd -u ldap -g ldap -d 296 -l local6 -h "ldap:/// ldaps:///"

```

Does not. An attempt to search the directory returns the following error:

```

trillian root # ldapsearch -x -ZZ -H ldap://slave-ldap2.test.bogus.co.uk/ -b "dc=bogus,dc=co,dc=uk" "(objectclass=*)"

ldap_start_tls: Connect error (91)

        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

trillian root #

```

All the file ownerships and permissions seem ok, taking the ldap directives back out of the nsswitch.conf file returns the slapd daemon to normal.

```

################# /etc/ldap.conf ####################

base dc=bogus,dc=co,dc=uk

# ldap is a round robin set of ldap servers, ssl certificates set up appropriately

uri ldap://ldap.buildstore.co.uk/

ldap_version 3

binddn cn=nss,dc=bogus,dc=co,dc=uk

bindpw {SECRET}

nss_base_passwd dc=bogus,dc=co,dc=uk

nss_base_group  ou=groups,dc=bogus,dc=co,dc=uk

nss_base_netgroup ou=netgroup,dc=bogus,dc=co,dc=uk

ssl start_tls

tls_checkpeer yes

tls_ciphers HIGH:MEDIUM

TLS_CACERT /etc/openldap/ssl/cacert.pem

################ /etc/openldap/ldap.conf ################

base dc=bogus,dc=co,dc=uk

# ldap is a round robin set of ldap servers, ssl certificates set up appropriately

uri ldap://ldap.bogus.co.uk/

ldap_version 3

ssl start_tls

tls_checkpeer yes

tls_ciphers HIGH:MEDIUM

TLS_CACERT /etc/openldap/ssl/cacert.pem

############# /etc/openldap/slapd.conf ###############

#  slapd configuration for slave server

# Include required schema files

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/automount.schema

include         /etc/openldap/schema/samba.schema

schemacheck     on

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

password-hash   {MD5}

loglevel        0

sizelimit       100

# TLS certificates setup

TLSCipherSuite HIGH:MEDIUM

TLSCertificateFile /etc/openldap/ssl/servercrt.pem

TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem

TLSCACertificateFile /etc/openldap/ssl/cacert.pem

# ******************************* System Backend **********************

backend         bdb

# -- slave slapd --

# database definition and parameters

database        bdb

directory       "/var/lib/openldap-data"

cachesize       2000

checkpoint      512     720

mode            0600

# root suffix of directory

suffix          "dc=bogus,dc=co,dc=uk"

# replica's administrative DN and crypted password

rootdn          cn=replica,dc=bogus,dc=co,dc=uk

rootpw          {MD5}SECRET

# DN that will be used by master's slurpd to replicate

updatedn        "cn=replica,dc=bogus,dc=co,dc=uk"

# URL of master server that can accept update requests

updateref       ldap://master-ldap.bogus.co.uk/

# Don't put all your energy in a senseless searching

#

index           objectclass     eq

index           sn              pres,sub,eq

## required to support pdb_getsampwnam

index           uid             pres,sub,eq

## required to support pdb_getsambapwrid()

index           displayName     pres,sub,eq

## uncomment these if you are storing posixAccount and

## posixGroup entries in the directory as well

index           uidNumber       eq

index           gidNumber       eq

index           memberUid       eq

index           sambaSID        eq

index           sambaPrimaryGroupSID  eq

index           sambaDomainName eq

index           default         sub

# Save the time that the entry gets modified

lastmod         on

# Access control

#

access to attribute=userPassword

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by self write

  by anonymous auth

  by * none

# Don't let users snoop Windows passwords

access to attrs=sambaLMPassword,sambaNTPassword

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by anonymous auth

  by * none

# Allow the Domain admin to add or modify Trust Accounts

access to dn="ou=computers,dc=bogus,dc=co,dc=uk"

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by users read

# Allow domain admin to add or modify User Accounts

access to dn="ou=users,dc=bogus,dc=co,dc=uk"

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by users read

# Allow domain admin to add or modify groups

access to dn="ou=groups,dc=bogus,dc=co,dc=uk"

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by users read

# Allow domain admin write access to NextFreeUnixId

access to dn="ou=domain_info,dc=bogus,dc=co,dc=uk"

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="uid=ntadmin,ou=users,dc=bogus,dc=co,dc=uk" write

  by * none

# Allow anonymous reads for automount maps

access to dn="ou=automount,dc=bogus,dc=co,dc=uk"

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by * read

# Allow access to Samba Domain Name

access to dn="SambaDomainName=TEST,dc=bogus,dc=co,dc=uk"

  by * read

# Access to the rest of the tree

access to *

  by dn="cn=administrator,dc=bogus,dc=co,dc=uk" write

  by dn="cn=nss,dc=bogus,dc=co,dc=uk" read

  by * none

```

----------

## moredhas

Seems that if I comment out the ssl start_tls parameter in the /etc/ldap.conf file then the server will start successfully even with the ldap paramteres in nsswitch.conf.

Ian

----------

## moredhas

Using uri ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock/ in /etc/ldap.conf also works though somewhat defeats the utility of having multiple ldap servers. On the other hand as the system can use its own ldap service doing it through the socket at least cuts down on network traffic and stops encryption beiing an issue.

Ian

----------

## gsurbey

Fixed an error here... but why did a setting in an nss ldap client config file fix an openldap daemon server issue?

```
ldap2 # ldapsearch -x

ldap_bind: Can't contact LDAP server (81)

        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
```

vi /etc/ldap.conf

changed the following line from:

host ldap.bluecanopy.com

to:

host ldap2.bluecanopy.com

```
ldap2 # /etc/init.d/slapd restart

 * Stopping ldap-server ...                                               [ ok ]

 * Starting ldap-server ...                                               [ ok ]

ns2 ssl # ldapsearch -x

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 0 Success

# numResponses: 1

ldap2 #
```

----------

## moredhas

I think that when it is starting as a non-root user it is having problems accessing the server key file. Mine is set to uid ldap and gid ldap with -rw------- permissions. Even though the ldap user and group are in files rather than ldap I think it doesn't manage to read the file. If you take ldap out of nsswitch.conf that also lets it start, changing the order did not help.

Using the socket allows it to succeed, using a remote directory server in ldap.conf should also work. Just not itself.

That's my pet theory anyway, going to have to revisit this soon as I'm going to be adding another couple of ldap servers. 

Ian

----------

## gsurbey

Did some research.  This looks like a known bug http://www.openldap.org/its/index.cgi/Incoming?id=3828

I tested "I'll note that using my own build of current code (2.2.27 and 2.3.4) no such problem occurs." by doing the following.

```
ldap2 ~ # echo "=net-nds/openldap-2.2.27-r1 ~x86" >> /etc/portage/package.keywords

ldap2 ~ # /etc/init.d/slapd stop

ldap2 ~ # slapcat -l backup.ldif

ldap2 ~ # mkdir /var/lib/openldap-data/old-db

ldap2 ~ # mv /var/lib/openldap-data/* /var/lib/openldap-data/old-db/

ldap2 ~ # emerge -u net-nds/openldap

ldap2 ~ # dispatch-conf

ldap2 ~ # revdep-rebuild --soname liblber.so.2

ldap2 ~ # revdep-rebuild --soname libldap.so.2

ldap2 ~ # revdep-rebuild --soname libldap_r.so.2

ldap2 ~ # /etc/init.d/slapd start

ldap2 ~ # /etc/init.d/slapd stop

ldap2 ~ # slapadd -l backup.ldif

ldap2 ~ # /etc/init.d/slapd start
```

I can confirm that this issue was resolved by the newer 2.2 version of ldap and that this bug will occur when using net-nds/openldap-2.1.30-r5.

----------

