FS#54186 : [libldap] openldap is linked against gnutls instead of openssl

FS#54186 - [libldap] openldap is linked against gnutls instead of openssl

Attached to Project: Arch Linux
Opened by viq (viq) - Thursday, 25 May 2017, 15:28 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 11:36 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Juerg Oehler (SwissGeorge) (2017-09-07) Alexandru Barbur (CtrlC-Root) (2017-07-30)
Private	No

Details

Description:
Following chain of dependencies, reading commit messages, and remembering how things used to be, I'd expect OpenLDAP to be linked against OpenSSL. I finally started looking why it doesn't accept the cert for my LDAP server anymore, and it's because it's linked against GnuTLS, which has completely different directives for working with certs (and often just doesn't accept directory of certs).

Additional info:
pacman -Q openldap
openldap 2.4.44-4

pacmatic -Ql openldap | grep usr/bin | grep -v /$ | cut -d' ' -f2 | xargs ldd | egrep '(^/|tls|ssl)'
/usr/bin/ldapadd:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f24f043e000)
/usr/bin/ldapcompare:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fa564ed3000)
/usr/bin/ldapdelete:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007eff59633000)
/usr/bin/ldapexop:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f3b524e4000)
/usr/bin/ldapmodify:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f71df85d000)
/usr/bin/ldapmodrdn:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fd6f0d2d000)
/usr/bin/ldappasswd:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fb8ad780000)
/usr/bin/ldapsearch:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fae7d1e0000)
/usr/bin/ldapurl:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f53b1569000)
/usr/bin/ldapwhoami:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f6cdd886000)
/usr/bin/slapacl:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f7b2c0db000)
/usr/bin/slapadd:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f89aa3e8000)
/usr/bin/slapauth:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f6da469c000)
/usr/bin/slapcat:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007feecac77000)
/usr/bin/slapd:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f933ae09000)
/usr/bin/slapdn:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fe5701a4000)
/usr/bin/slapindex:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fb3801ef000)
/usr/bin/slappasswd:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fc93bbb3000)
/usr/bin/slapschema:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007ff8a8880000)
/usr/bin/slaptest:
libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007fbe21f2c000)

Steps to reproduce:
Install openldap, have LDAP server with TLS enabled, tell openldap to trust the cert, try to search for something:

$ egrep '(^SSL|^TLS)' /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/ssl
SSL start_tls

$ ldapseatch -x -ZZ -LLL -h ldap.example.com uid=someone
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)

This task depends upon

Closed by Jan de Groot (JGC)
Tuesday, 15 August 2017, 11:36 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 2.4.45, uses OpenSSL 1.1 now.

Comment by Doug Newgard (Scimmia) - Tuesday, 06 June 2017, 17:19 GMT

openldap isn't linked to either one, but libldap is. I wonder if it's a side effect of the switch to openssl 1.1?

Comment by Alexandru Barbur (CtrlC-Root) - Sunday, 30 July 2017, 03:40 GMT

I just spent a few solid hours troubleshooting why my OpenLDAP server could no longer work with TLS before I found this bug report. This was definitely not always the case since the exact same setup worked a few months ago. I haven't tracked down at which point the package was changed but given how much I depend on this package I intend to just maintain my own from now on. The side effects of switching between OpenSSL and GnuTLS is typically completely broken SSL/TLS support and if you're unlucky an OpenLDAP config that will prevent slapd from starting at all.

Comment by Alexandru Barbur (CtrlC-Root) - Sunday, 30 July 2017, 03:41 GMT

I'm also not the only one who noticed: https://bbs.archlinux.org/viewtopic.php?id=228175

Comment by Alexandru Barbur (CtrlC-Root) - Sunday, 30 July 2017, 16:52 GMT

I think i figured out what happened. OpenSSL was updated and the existing version was maintained in the openssl-1.0 package. By default the configure script for OpenLDAP will use whatever SSL library is available. The currently packaged version of OpenLDAP does not work with the latest version of OpenSSL. I assume on the system where it was compiled GnuTLS was installed however and so the configure script elected to use that. I think the proper way forward is two-fold:

1) Update the OpenLDAP package to 2.4.45 which supports the new OpenSSL API. See https://www.openldap.org/software/release/changes.html for confirmation of this.
2) Modify the PKGBUILD to use --with-tls=openssl to force it to build against OpenSSL and fail if it's not available.

This is what I'm currently doing with my own package (https://github.com/CtrlC-Root/pkg-openldap) in a private repository. I see the OpenLDAP package is currently abandoned. I'd be willing to maintain it but I'm not sure what the process is to do that (i.e. who do I talk to, etc). In the meantime if anyone else finds this you should be able to download and build my package.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#55541 - [openldap 2.4.44-5] no ssl connect possible~~

Arch Linux

FS#54186 - [libldap] openldap is linked against gnutls instead of openssl

Details

Loading...