[Pdns-users] PowerDNS + TLS, How should Slapd be setup?
Kumba
kumba at gentoo.org
Tue Feb 17 07:01:35 UTC 2009
Stumped on this, and after 3 hours of attacking it, pretty much lost on options.
I have in pdns.conf (all output has my domain name removed, FYI):
ldap-starttls=yes
ldap-host=ldaps://ldap.mydomain.com/
slapd runs with TLS/SSL enabled, certificates all setup, etc.., tested with
ldapsearch, and with openssl s_client, but when I enabled pdns in monitoring
mode, I get this:
Feb 17 00:52:28 Creating backend connection for TCP
Feb 17 05:52:28 [LdapBackend] LDAP servers = ldaps://ldap.mydomain.com/
% Feb 17 05:52:28 [LdapBackend] Ldap connection to server failed: Couldn't
perform STARTTLS: Operations error
Feb 17 05:52:28 Caught an exception instantiating a backend, cleaning up
Feb 17 05:52:28 TCP server is unable to launch backends - will try again when
questions come in: Unable to connect to ldap server
So I jacked up the logging level in slapd and see this in /var/log/messages:
Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: epoll: listen=7 active_threads=0
tvp=zero
Feb 17 00:57:14 helcaraxe slapd[1958]: do_extended
Feb 17 00:57:14 helcaraxe slapd[1958]: do_extended: oid=1.3.6.1.4.1.1466.20037
Feb 17 00:57:14 helcaraxe slapd[1958]: conn=17 op=0 STARTTLS
Feb 17 00:57:14 helcaraxe slapd[1958]: send_ldap_extended: err=1 oid= len=0
Feb 17 00:57:14 helcaraxe slapd[1958]: send_ldap_response: msgid=1 tag=120 err=1
Feb 17 00:57:14 helcaraxe slapd[1958]: conn=17 op=0 RESULT oid= err=1 text=TLS
already started
Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: activity on 1 descriptor
Feb 17 00:57:14 helcaraxe slapd[1958]: daemon: activity on:
Feb 17 00:57:14 helcaraxe slapd[1958]: 11r
Feb 17 00:57:14 helcaraxe slapd[1958]:
Did some digging, and it looks to me like the function call in
modules/ldapbackend/powerldap.cc:46, if( tls && ( err = ldap_start_tls_s( d_ld,
NULL, NULL ) ) != LDAP_SUCCESS ), fails because I already have TLS/SSL enabled
on my instance of slapd.
This is based on a MSDN article on that particular function (and the man 3 page
seems to confirm this as well).
So, assuming this is a correct assumption, is there any kind of details on how
our slapd should be configured as far as TLS is concerned? Google did not turn
up a whole lot of information. Or does that particular function in powerldap.cc
need a little better error handling? Like say, if StartTLS is already active on
the connection because of slapd's configuration, should the function instead
move directly to attempting to install the TLS handlers and then bugging out
only if that fails?
I tried to modify as such, but didn't get anywhere, and figured I'd get better
luck asking such a question here than banging my head on the desk over this
anymore (not really, but you get the drift...).
I'm also able to trigger an Assertion error. If ldap-starttls=yes and ldap-host
does NOT have an ldaps:// URI, OR vice-versa, then the following crash happens:
* Starting PowerDNS (default) in monitor mode ...
Feb 16 22:38:33 Reading random entropy from '/dev/urandom'
Feb 16 22:38:33 [LdapBackend] This is the ldap module version 2.9.22 (Feb 15
2009, 21:40:56) reporting
Feb 16 22:38:33 This is a standalone pdns
Feb 16 22:38:33 UDP server bound to 192.168.1.17:53
Feb 16 22:38:33 TCP server bound to 192.168.1.17:53
Feb 16 22:38:33 PowerDNS 2.9.22 (C) 2001-2009 PowerDNS.COM BV (Feb 15 2009,
21:41:25, gcc 4.3.2) starting up
Feb 16 22:38:33 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free
software, and you are welcome to redistribute it according to the terms of the
GPL version 2.
Feb 16 22:38:33 DNS Proxy launched, local port 15833, remote 127.0.0.1:53
Feb 16 22:38:33 Creating backend connection for TCP
Feb 17 03:38:33 [LdapBackend] LDAP servers = ldaps://127.0.0.1
% pdns_server: options.c:108: ldap_get_option: Assertion `(
(ld)->ld_options.ldo_valid == 0x2 )' failed.
Feb 17 03:38:33 Got a signal 6, attempting to print trace:
Feb 17 03:38:33 /usr/sbin/pdns_server [0x47eb85]
Feb 17 03:38:33 /lib64/libc.so.6 [0x72126fcfe290]
Feb 17 03:38:33 /lib64/libc.so.6(gsignal+0x35) [0x72126fcfe205]
Feb 17 03:38:33 /lib64/libc.so.6(abort+0x183) [0x72126fcff723]
Feb 17 03:38:33 /lib64/libc.so.6(__assert_fail+0xe9) [0x72126fcf7229]
Feb 17 03:38:33 /usr/lib/libldap_r-2.3.so.0(ldap_get_option+0x472) [0x72126f88c6f2]
Feb 17 03:38:33
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAP9getOptionEiPi+0x1b)
[0x72126fac3a9b]
Feb 17 03:38:33
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAP8getErrorEi+0x4a)
[0x72126fac3bca]
Feb 17 03:38:33
/usr/lib64/powerdns/libldapbackend.so(_ZN9PowerLDAPC1ERKSstb+0x31f) [0x72126fac479f]
Feb 17 03:38:33
/usr/lib64/powerdns/libldapbackend.so(_ZN11LdapBackendC1ERKSs+0x5a5)
[0x72126fab8625]
Feb 17 03:38:33
/usr/lib64/powerdns/libldapbackend.so(_ZN11LdapFactory4makeERKSs+0x29)
[0x72126fac2ba9]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN17BackendMakerClass3allEv+0x18c) [0x467f0c]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN12UeberBackendC1ERKSs+0x155) [0x487055]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN13PacketHandlerC1Ev+0x25) [0x445825]
Feb 17 03:38:33 /usr/sbin/pdns_server(_ZN13TCPNameserver2goEv+0xc2) [0x44f942]
Feb 17 03:38:33 /usr/sbin/pdns_server(_Z10mainthreadv+0x581) [0x4aa201]
Feb 17 03:38:33 /usr/sbin/pdns_server(main+0x2714) [0x485054]
Feb 17 03:38:33 /lib64/libc.so.6(__libc_start_main+0xe6) [0x72126fcea5c6]
Feb 17 03:38:33 /usr/sbin/pdns_server [0x42e429]
/etc/init.d/pdns: line 49: 31635 Aborted /usr/sbin/pdns_server
${PDNS_CONFIG} --daemon=no --guardian=no --control-console=yes --loglevel=9
--log-dns-details=yes --query-logging=yes
Not a clue in the world where to tackle this one from. That's coming out of
glibc itself, and those are never fun to track down.
Cheers!,
--
Joshua Kinard
Gentoo/MIPS
kumba at gentoo.org
"The past tempts us, the present confuses us, the future frightens us. And our
lives slip away, moment by moment, lost in that vast, terrible in-between."
--Emperor Turhan, Centauri Republic
More information about the Pdns-users
mailing list