[Pdns-users] PowerDNS + TLS, How should Slapd be setup?

Kumba kumba at gentoo.org
Tue Feb 17 07:01:35 UTC 2009 

Stumped on this, and after 3 hours of attacking it, pretty much lost on options.

I have in pdns.conf (all output has my domain name removed, FYI):
ldap-starttls=yes
ldap-host=ldaps://ldap.mydomain.com/

slapd runs with TLS/SSL enabled, certificates all setup, etc.., tested with 
ldapsearch, and with openssl s_client, but when I enabled pdns in monitoring 
mode, I get this:

Feb 17 00:52:28 Creating backend connection for TCP
Feb 17 05:52:28 [LdapBackend] LDAP servers = ldaps://ldap.mydomain.com/
% Feb 17 05:52:28 [LdapBackend] Ldap connection to server failed: Couldn't 
perform STARTTLS: Operations error
Feb 17 05:52:28 Caught an exception instantiating a backend, cleaning up
Feb 17 05:52:28 TCP server is unable to launch backends - will try again when 
questions come in: Unable to connect to ldap server


So I jacked up the logging level in slapd and see this in /var/log/messages:

Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: epoll: listen=7 active_threads=0 
tvp=zero
Feb 17 00:57:14 helcaraxe slapd[1958]: do_extended
Feb 17 00:57:14 helcaraxe slapd[1958]: do_extended: oid=1.3.6.1.4.1.1466.20037
Feb 17 00:57:14 helcaraxe slapd[1958]: conn=17 op=0 STARTTLS
Feb 17 00:57:14 helcaraxe slapd[1958]: send_ldap_extended: err=1 oid= len=0
Feb 17 00:57:14 helcaraxe slapd[1958]: send_ldap_response: msgid=1 tag=120 err=1
Feb 17 00:57:14 helcaraxe slapd[1958]: conn=17 op=0 RESULT oid= err=1 text=TLS 
already started
Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: activity on 1 descriptor
Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: activity on:
Feb 17 00:57:14 helcaraxe slapd[1958]:  11r
Feb 17 00:57:14 helcaraxe slapd[1958]:


Did some digging, and it looks to me like the function call in 
modules/ldapbackend/powerldap.cc:46, if( tls && ( err = ldap_start_tls_s( d_ld, 
NULL, NULL ) ) != LDAP_SUCCESS ), fails because I already have TLS/SSL enabled 
on my instance of slapd.

This is based on a MSDN article on that particular function (and the man 3 page 
seems to confirm this as well).

So, assuming this is a correct assumption, is there any kind of details on how 
our slapd should be configured as far as TLS is concerned?  Google did not turn 
up a whole lot of information.  Or does that particular function in powerldap.cc 
need a little better error handling?  Like say, if StartTLS is already active on 
the connection because of slapd's configuration, should the function instead 
move directly to attempting to install the TLS handlers and then bugging out 
only if that fails?

I tried to modify as such, but didn't get anywhere, and figured I'd get better 
luck asking such a question here than banging my head on the desk over this 
anymore (not really, but you get the drift...).



I'm also able to trigger an Assertion error.  If ldap-starttls=yes and ldap-host 
does NOT have an ldaps:// URI, OR vice-versa, then the following crash happens:

  * Starting PowerDNS (default) in monitor mode ...
Feb 16 22:38:33 Reading random entropy from '/dev/urandom'
Feb 16 22:38:33  [LdapBackend] This is the ldap module version 2.9.22 (Feb 15 
2009, 21:40:56) reporting
Feb 16 22:38:33 This is a standalone pdns
Feb 16 22:38:33 UDP server bound to 192.168.1.17:53
Feb 16 22:38:33 TCP server bound to 192.168.1.17:53
Feb 16 22:38:33 PowerDNS 2.9.22 (C) 2001-2009 PowerDNS.COM BV (Feb 15 2009, 
21:41:25, gcc 4.3.2) starting up
Feb 16 22:38:33 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
Feb 16 22:38:33 DNS Proxy launched, local port 15833, remote 127.0.0.1:53
Feb 16 22:38:33 Creating backend connection for TCP
Feb 17 03:38:33 [LdapBackend] LDAP servers = ldaps://127.0.0.1
% pdns_server: options.c:108: ldap_get_option: Assertion `( 
(ld)->ld_options.ldo_valid == 0x2 )' failed.
Feb 17 03:38:33 Got a signal 6, attempting to print trace:
Feb 17 03:38:33 /usr/sbin/pdns_server [0x47eb85]
Feb 17 03:38:33 /lib64/libc.so.6 [0x72126fcfe290]
Feb 17 03:38:33 /lib64/libc.so.6(gsignal+0x35) [0x72126fcfe205]
Feb 17 03:38:33 /lib64/libc.so.6(abort+0x183) [0x72126fcff723]
Feb 17 03:38:33 /lib64/libc.so.6(__assert_fail+0xe9) [0x72126fcf7229]
Feb 17 03:38:33 /usr/lib/libldap_r-2.3.so.0(ldap_get_option+0x472) [0x72126f88c6f2]
Feb 17 03:38:33 
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAP9getOptionEiPi+0x1b) 
[0x72126fac3a9b]
Feb 17 03:38:33 
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAP8getErrorEi+0x4a) 
[0x72126fac3bca]
Feb 17 03:38:33 
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAPC1ERKSstb+0x31f) [0x72126fac479f]
Feb 17 03:38:33 
/usr/lib64/powerdns/libldapbackend.so(_ZN11LdapBackendC1ERKSs+0x5a5) 
[0x72126fab8625]
Feb 17 03:38:33 
/usr/lib64/powerdns/libldapbackend.so(_ZN11LdapFactory4makeERKSs+0x29) 
[0x72126fac2ba9]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN17BackendMakerClass3allEv+0x18c) [0x467f0c]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN12UeberBackendC1ERKSs+0x155) [0x487055]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN13PacketHandlerC1Ev+0x25) [0x445825]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN13TCPNameserver2goEv+0xc2) [0x44f942]
Feb 17 03:38:33 /usr/sbin/pdns_server(_Z10mainthreadv+0x581) [0x4aa201]
Feb 17 03:38:33 /usr/sbin/pdns_server(main+0x2714) [0x485054]
Feb 17 03:38:33 /lib64/libc.so.6(__libc_start_main+0xe6) [0x72126fcea5c6]
Feb 17 03:38:33 /usr/sbin/pdns_server [0x42e429]
/etc/init.d/pdns: line 49: 31635 Aborted                 /usr/sbin/pdns_server 
${PDNS_CONFIG} --daemon=no --guardian=no --control-console=yes --loglevel=9 
--log-dns-details=yes --query-logging=yes 
 



Not a clue in the world where to tackle this one from.  That's coming out of 
glibc itself, and those are never fun to track down.

Cheers!,

-- 
Joshua Kinard
Gentoo/MIPS
kumba at gentoo.org

"The past tempts us, the present confuses us, the future frightens us.  And our 
lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

More information about the Pdns-users mailing list