samba - May 2005 - smbldap-tools broken pipe

Hi,

I am working on establishing a Samba+LDAP server with management by the 
smbldap tools from idealx.  Versions are Samba 3.0.14a, OpenLDAP 2.2.24, 
smbldap tools 0.8.8 all on Solaris 8.  I'm thinking I have a problem with 
my perl (perhaps), version 5.8.5, as I keep getting "Broken pipe"
messages
when using smbldap-populate, smbldap-groupadd, etc.  Google produced no 
useful results in my searches.  I would like some suggestions on how to 
troubleshoot this issue.

I placed the -d option to perl in smbldap-passwd and got the following:

. . .
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:404):
404:      if (exists $arg->{scope}) {
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:405):
405:        my $sc = lc $arg->{scope};
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:406):
406:        $stash{scope} = 0 + (exists $scope{$sc} ? $scope{$sc} : $sc);
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:409):
409:      if (exists $arg->{deref}) {
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:415):
415:        searchRequest => \%stash,
416:        controls      => $control
417:      ) or return _error($ldap, $mesg, LDAP_ENCODING_ERROR,"$@");
   DB<1>
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:419):
419:      $ldap->_sendmesg($mesg);
   DB<1>
Broken pipe
lauterbur{181}#

Possibly relevant excerpt from /usr/local/samba/sbin/smbldap.conf:

# Ex: slaveLDAP=127.0.0.1
##slaveLDAP="127.0.0.1"
##slaveLDAP="hahn.uoregon.edu"
slaveLDAP="lauterbur.uoregon.edu"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
##masterLDAP="hahn.uoregon.edu"
masterLDAP="lauterbur.uoregon.edu"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="1"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/usr/local/etc/cacert.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/usr/local/etc/lauterbur.slapd-cert.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/usr/local/etc/lauterbur.slapd-key.pem"

And from /usr/local/etc/openldap/slapd.conf:

. . .
TLSCipherSuite HIGH:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/etc/cacert.pem
TLSCertificateFile /usr/local/etc/lauterbur.slapd-cert.pem
TLSCertificateKeyFile /usr/local/etc/lauterbur.slapd-key.pem
security ssf=1 update_ssf=128 simple_bind=128 update_tls=128 tls=128
. . .


Other ldap commands work fine from the same machine and from other 
networked machines.  I've got login authentication working, my
/etc/ldap.conf:

## LDAP configuration file for pam_ldap module.
##host 128.223.78.85
##host 128.223.78.80
host lauterbur.uoregon.edu
base dc=lcni,dc=uoregon,dc=edu

scope sub
timelimit 30
pam_login_attribute uid
pam_filter_class posixAccount

ssl start_tls
tls_cacertfile /usr/local/etc/cacert.pem
tls_ciphers HIGH

pam_filter &(objectClass=posixAccount)(description=lauterbur)

##nss_base_passwd ou=people,dc=lcni,dc=uoregon,dc=edu
nss_base_passwd ou=People,dc=lcni,dc=uoregon,dc=edu
nss_base_passwd ou=Computers,dc=lcni,dc=uoregon,dc=edu
##nss_base_shadow ou=people,dc=lcni,dc=uoregon,dc=edu
nss_base_shadow ou=People,dc=lcni,dc=uoregon,dc=edu
##nss_base_group ou=group,dc=lcni,dc=uoregon,dc=edu
nss_base_group ou=Groups,dc=lcni,dc=uoregon,dc=edu

This is maddening, as it is standing in the way of my migration from TAS to 
Samba+LDAP.

I am pathetically in need of assistance, any suggestions would be appreciated.

Regards,

Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

Oh joy!

I got this working by setting the verify parameter in smbldap.conf to 
"none".  Perl's debugger rocks!  A brief trace of my travails -
er, travels
- follows.

The results after upgrading to smbldap-tools 0.8.9:

lauterbur{17}# /usr/local/samba/sbin/smbldap-passwd chuck
Use of uninitialized value in die at 
/usr/local/lib/perl5/site_perl/5.8.5/Convert/ASN1/_decode.pm line 111.
Broken pipe
lauterbur{18}#

I traced this using the Perl debugger and eventually got to a reference to 
a config parameter "verify".  I tried the other two possible values
(none,
optional) and found that none works for me.  As the require setting works 
on other machines running ldap servers, I am led to conclude that something 
is wrong with my machine certificate.  I wonder about the verify 
parameter's relationship to the TLS_REQCERT parameter of ldap.conf, perhaps 
analogous?

Hope this contributes somewhat to the Collective.

Cheers,
Chuck

PS:  Thanks for not saying that this is off-topic and referring me to some 
non-existent list about smbldap-tools.


t 11:32 AM 5/17/2005, John H Terpstra wrote:
>On Tuesday 17 May 2005 12:09, Chuck Theobald wrote:
> > Hi,
> >
> > I am working on establishing a Samba+LDAP server with management by
the
> > smbldap tools from idealx.  Versions are Samba 3.0.14a, OpenLDAP
2.2.24,
> > smbldap tools 0.8.8 all on Solaris 8.  I'm thinking I have a
problem with
> > my perl (perhaps), version 5.8.5, as I keep getting "Broken
pipe" messages
> > when using smbldap-populate, smbldap-groupadd, etc.  Google produced
no
> > useful results in my searches.  I would like some suggestions on how
to
> > troubleshoot this issue.
>
>Please download the latest (developmental) release from:
>
>ftp://166.70.93.234/pub/Idealx-smbldap-tools/
>
>There you will find version 0.8.9. This is not a final release but has many
>enhancements and fixes for bugs that caused problems on some platforms.
>
>Please let me know how this version works. This code was provided by Jerome
>Tournier (Idealx) - he is the one maintaining this. Do not contact him about
>this version. Please pass your feedback through me.
>
>- John T.
>
> >
> > I placed the -d option to perl in smbldap-passwd and got the
following:
> >
> >  . ..
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:404):
> > 404:      if (exists $arg->{scope}) {
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:405):
> > 405:        my $sc = lc $arg->{scope};
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:406):
> > 406:        $stash{scope} = 0 + (exists $scope{$sc} ? $scope{$sc} :
$sc);
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:409):
> > 409:      if (exists $arg->{deref}) {
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:415):
> > 415:        searchRequest => \%stash,
> > 416:        controls      => $control
> > 417:      ) or return _error($ldap, $mesg,
LDAP_ENCODING_ERROR,"$@");
> >    DB<1>
> >
Net::LDAP::search(/usr/local/lib/perl5/site_perl/5.8.5/Net/LDAP.pm:419):
> > 419:      $ldap->_sendmesg($mesg);
> >    DB<1>
> > Broken pipe
> > lauterbur{181}#
> >
. . . see previous post for other information . . .


Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345