Thread: src/test/perl/TestLib.pm: check_pg_config needs/usr/include/postgresql/pg_config.h

I believe check_pg_config as used by src/test/ssl/t/002_scram.pl
shouldn't rely on /usr/include/postgresql/pg_config.h but use the file
from the build tree instead:

src/test/perl/TestLib.pm:

    Return the number of matches of the given regular expression
    within the installation's C<pg_config.h>.

    =cut

    sub check_pg_config
    {
        my ($regexp) = @_;
        my ($stdout, $stderr);
        my $result = IPC::Run::run [ 'pg_config', '--includedir' ], '>',
          \$stdout, '2>', \$stderr
          or die "could not execute pg_config";
        chomp($stdout);
        $stdout =~ s/\r$//;

        open my $pg_config_h, '<', "$stdout/pg_config.h" or die "$!"; <-- here
        my $match = (grep { /^$regexp/ } <$pg_config_h>);
        close $pg_config_h;
        return $match;
    }

src/test/ssl/README claims that it is possible to run the "ssl" extra
test from make check (as opposed to installcheck).

Christoph



Christoph Berg <myon@debian.org> writes:
> I believe check_pg_config as used by src/test/ssl/t/002_scram.pl
> shouldn't rely on /usr/include/postgresql/pg_config.h but use the file
> from the build tree instead:

But during "make check", that should be executing pg_config from the
the temporary installation, so we should get the right answer no?

Conversely, in "make installcheck" scenarios, we definitely do want
the value from the installed file, or so I should think.

Do you have a concrete scenario where you're getting wrong behavior?

            regards, tom lane



Re: Tom Lane
> But during "make check", that should be executing pg_config from the
> the temporary installation, so we should get the right answer no?
> 
> Conversely, in "make installcheck" scenarios, we definitely do want
> the value from the installed file, or so I should think.
> 
> Do you have a concrete scenario where you're getting wrong behavior?

I just added the extra tests to the postgresql-13 package and got
this:

$ cat build/src/test/ssl/tmp_check/log/regress_log_002_scram
No such file or directory at /srv/projects/postgresql/pg/master/build/../src/test/perl/TestLib.pm line 595.

But I just realized that the problem is caused by a Debian-specific
patch that removes the find_my_exec logic from pg_config and replaces
it with PGBINDIR. We need that patch because we install pg_config to
both /usr/bin and /usr/lib/postgresql/<version>/bin and want the same
output from both.

I'll revisit that to see if we can come up with a different solution.

Christoph



ldap tls test fails in some environments

From
Christoph Berg
Date:
> I just added the extra tests to the postgresql-13 package and got
> this:

Some other problem emerged here in the ldap test:

17:28:58
17:28:58 #   Failed test 'StartTLS'
17:28:58 #   at t/001_auth.pl line 169.
17:28:58 #          got: '2'
17:28:58 #     expected: '0'
17:28:58
17:28:58 #   Failed test 'LDAPS'
17:28:58 #   at t/001_auth.pl line 169.
17:28:58 #          got: '2'
17:28:58 #     expected: '0'
17:28:59
17:28:59 #   Failed test 'LDAPS with URL'
17:28:59 #   at t/001_auth.pl line 169.
17:28:59 #          got: '2'
17:28:59 #     expected: '0'
17:28:59 # Looks like you failed 3 tests of 22.
17:28:59 t/001_auth.pl ..
...
17:28:59 # diagnostic message
17:28:59 ok 18 - any attempt fails due to bad search pattern
17:28:59 # TLS
17:28:59 not ok 19 - StartTLS
17:28:59 not ok 20 - LDAPS
17:28:59 not ok 21 - LDAPS with URL
17:28:59 ok 22 - bad combination of LDAPS and StartTLS
17:28:59 Dubious, test returned 3 (wstat 768, 0x300)

src/test/ldap/tmp_check/log/slapd.log is empty.

It consistently fails on the build server, but works on my notebook.
Maybe that simply means slapd is crashing, but there's no slapd
output. Would it be possible to start slapd with "-d 255", even if
that means it doesn't background itself?

That'd be in src/test/ldap/t/001_auth.pl:

    system_or_bail $slapd, '-f', $slapd_conf, '-h', "$ldap_url $ldaps_url";

    END
    {
        kill 'INT', `cat $slapd_pidfile` if -f $slapd_pidfile;
    }

Server and test output below:

17:28:59 2020-05-13 15:28:58.136 UTC [31564] LOG:  starting PostgreSQL 13devel (Debian
13~~devel~20200513.1505-1~801.git043e3e0.pgdg+1)on x86_64-pc-linux-gnu, compiled by gcc (Debian 9.3.0-12) 9.3.0,
64-bit
17:28:59 2020-05-13 15:28:58.136 UTC [31564] LOG:  listening on Unix socket "/tmp/gM2rQtsMib/.s.PGSQL.53078"
17:28:59 2020-05-13 15:28:58.139 UTC [31565] LOG:  database system was shut down at 2020-05-13 15:28:58 UTC
17:28:59 2020-05-13 15:28:58.142 UTC [31564] LOG:  database system is ready to accept connections
17:28:59 2020-05-13 15:28:58.230 UTC [31573] [unknown] LOG:  LDAP login failed for user "?uid=test1" on server
"localhost":Invalid DN syntax
 
17:28:59 2020-05-13 15:28:58.230 UTC [31573] [unknown] DETAIL:  LDAP diagnostics: invalid DN
17:28:59 2020-05-13 15:28:58.230 UTC [31573] [unknown] FATAL:  LDAP authentication failed for user "test1"
17:28:59 2020-05-13 15:28:58.230 UTC [31573] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all
ldapldapserver=localhost ldapport=53076 ldapprefix="?uid=" ldapsuffix="""
 
17:28:59 2020-05-13 15:28:58.264 UTC [31564] LOG:  received fast shutdown request
17:28:59 2020-05-13 15:28:58.264 UTC [31564] LOG:  aborting any active transactions
17:28:59 2020-05-13 15:28:58.266 UTC [31564] LOG:  background worker "logical replication launcher" (PID 31571) exited
withexit code 1
 
17:28:59 2020-05-13 15:28:58.266 UTC [31566] LOG:  shutting down
17:28:59 2020-05-13 15:28:58.271 UTC [31564] LOG:  database system is shut down
17:28:59 2020-05-13 15:28:58.384 UTC [31575] LOG:  starting PostgreSQL 13devel (Debian
13~~devel~20200513.1505-1~801.git043e3e0.pgdg+1)on x86_64-pc-linux-gnu, compiled by gcc (Debian 9.3.0-12) 9.3.0,
64-bit
17:28:59 2020-05-13 15:28:58.385 UTC [31575] LOG:  listening on Unix socket "/tmp/gM2rQtsMib/.s.PGSQL.53078"
17:28:59 2020-05-13 15:28:58.387 UTC [31576] LOG:  database system was shut down at 2020-05-13 15:28:58 UTC
17:28:59 2020-05-13 15:28:58.390 UTC [31575] LOG:  database system is ready to accept connections
17:28:59 2020-05-13 15:28:58.479 UTC [31584] [unknown] LOG:  could not start LDAP TLS session: Connect error
17:28:59 2020-05-13 15:28:58.479 UTC [31584] [unknown] FATAL:  LDAP authentication failed for user "test1"
17:28:59 2020-05-13 15:28:58.479 UTC [31584] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all
ldapldapserver=localhost ldapport=53076 ldapbasedn="dc=example,dc=net" ldapsearchfilter="(uid=$username)" ldaptls=1"
 
17:28:59 2020-05-13 15:28:58.514 UTC [31575] LOG:  received fast shutdown request
17:28:59 2020-05-13 15:28:58.514 UTC [31575] LOG:  aborting any active transactions
17:28:59 2020-05-13 15:28:58.516 UTC [31575] LOG:  background worker "logical replication launcher" (PID 31582) exited
withexit code 1
 
17:28:59 2020-05-13 15:28:58.516 UTC [31577] LOG:  shutting down
17:28:59 2020-05-13 15:28:58.520 UTC [31575] LOG:  database system is shut down
17:28:59 2020-05-13 15:28:58.634 UTC [31586] LOG:  starting PostgreSQL 13devel (Debian
13~~devel~20200513.1505-1~801.git043e3e0.pgdg+1)on x86_64-pc-linux-gnu, compiled by gcc (Debian 9.3.0-12) 9.3.0,
64-bit
17:28:59 2020-05-13 15:28:58.634 UTC [31586] LOG:  listening on Unix socket "/tmp/gM2rQtsMib/.s.PGSQL.53078"
17:28:59 2020-05-13 15:28:58.636 UTC [31587] LOG:  database system was shut down at 2020-05-13 15:28:58 UTC
17:28:59 2020-05-13 15:28:58.639 UTC [31586] LOG:  database system is ready to accept connections
17:28:59 2020-05-13 15:28:58.728 UTC [31595] [unknown] LOG:  could not perform initial LDAP bind for ldapbinddn "" on
server"localhost": Can't contact LDAP server
 
17:28:59 2020-05-13 15:28:58.728 UTC [31595] [unknown] FATAL:  LDAP authentication failed for user "test1"
17:28:59 2020-05-13 15:28:58.728 UTC [31595] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all
ldapldapserver=localhost ldapscheme=ldaps ldapport=53077 ldapbasedn="dc=example,dc=net"
ldapsearchfilter="(uid=$username)""
17:28:59 2020-05-13 15:28:58.763 UTC [31586] LOG:  received fast shutdown request
17:28:59 2020-05-13 15:28:58.764 UTC [31586] LOG:  aborting any active transactions
17:28:59 2020-05-13 15:28:58.766 UTC [31586] LOG:  background worker "logical replication launcher" (PID 31593) exited
withexit code 1
 
17:28:59 2020-05-13 15:28:58.766 UTC [31588] LOG:  shutting down
17:28:59 2020-05-13 15:28:58.772 UTC [31586] LOG:  database system is shut down
17:28:59 2020-05-13 15:28:58.886 UTC [31597] LOG:  starting PostgreSQL 13devel (Debian
13~~devel~20200513.1505-1~801.git043e3e0.pgdg+1)on x86_64-pc-linux-gnu, compiled by gcc (Debian 9.3.0-12) 9.3.0,
64-bit
17:28:59 2020-05-13 15:28:58.886 UTC [31597] LOG:  listening on Unix socket "/tmp/gM2rQtsMib/.s.PGSQL.53078"
17:28:59 2020-05-13 15:28:58.888 UTC [31598] LOG:  database system was shut down at 2020-05-13 15:28:58 UTC
17:28:59 2020-05-13 15:28:58.891 UTC [31597] LOG:  database system is ready to accept connections
17:28:59 2020-05-13 15:28:58.977 UTC [31606] [unknown] LOG:  could not perform initial LDAP bind for ldapbinddn "" on
server"localhost": Can't contact LDAP server
 
17:28:59 2020-05-13 15:28:58.977 UTC [31606] [unknown] FATAL:  LDAP authentication failed for user "test1"
17:28:59 2020-05-13 15:28:58.977 UTC [31606] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all
ldapldapurl="ldaps://localhost:53077/dc=example,dc=net??sub?(uid=$username)""
 
17:28:59 2020-05-13 15:28:59.014 UTC [31597] LOG:  received fast shutdown request
17:28:59 2020-05-13 15:28:59.014 UTC [31597] LOG:  aborting any active transactions
17:28:59 2020-05-13 15:28:59.017 UTC [31597] LOG:  background worker "logical replication launcher" (PID 31604) exited
withexit code 1
 
17:28:59 2020-05-13 15:28:59.019 UTC [31599] LOG:  shutting down
17:28:59 2020-05-13 15:28:59.025 UTC [31597] LOG:  database system is shut down
17:28:59 2020-05-13 15:28:59.135 UTC [31608] LOG:  starting PostgreSQL 13devel (Debian
13~~devel~20200513.1505-1~801.git043e3e0.pgdg+1)on x86_64-pc-linux-gnu, compiled by gcc (Debian 9.3.0-12) 9.3.0,
64-bit
17:28:59 2020-05-13 15:28:59.135 UTC [31608] LOG:  listening on Unix socket "/tmp/gM2rQtsMib/.s.PGSQL.53078"
17:28:59 2020-05-13 15:28:59.137 UTC [31609] LOG:  database system was shut down at 2020-05-13 15:28:59 UTC
17:28:59 2020-05-13 15:28:59.140 UTC [31608] LOG:  database system is ready to accept connections
17:28:59 2020-05-13 15:28:59.228 UTC [31617] [unknown] LOG:  could not start LDAP TLS session: Can't contact LDAP
server
17:28:59 2020-05-13 15:28:59.228 UTC [31617] [unknown] FATAL:  LDAP authentication failed for user "test1"
17:28:59 2020-05-13 15:28:59.228 UTC [31617] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all
ldapldapurl="ldaps://localhost:53077/dc=example,dc=net??sub?(uid=$username)" ldaptls=1" 
17:28:59 2020-05-13 15:28:59.264 UTC [31608] LOG:  received immediate shutdown request
17:28:59 2020-05-13 15:28:59.265 UTC [31613] WARNING:  terminating connection because of crash of another server
process
17:28:59 2020-05-13 15:28:59.265 UTC [31613] DETAIL:  The postmaster has commanded this server process to roll back the
currenttransaction and exit, because another server process exited abnormally and possibly corrupted shared memory.
 
17:28:59 2020-05-13 15:28:59.265 UTC [31613] HINT:  In a moment you should be able to reconnect to the database and
repeatyour command.
 
17:28:59 2020-05-13 15:28:59.268 UTC [31608] LOG:  database system is shut down

17:28:59 ******** build/src/test/ldap/tmp_check/log/regress_log_001_auth ********
17:28:59 1..22
17:28:59 # Checking port 53076
17:28:59 # Found port 53076
17:28:59 # Checking port 53077
17:28:59 # Found port 53077
17:28:59 # setting up slapd
17:28:59 # Running: openssl req -new -nodes -keyout /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/ca.key
-x509-out /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/ca.crt -subj /CN=CA
 
17:28:59 Generating a RSA private key
17:28:59 ...........+++++
17:28:59 ...............+++++
17:28:59 writing new private key to '/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/ca.key'
17:28:59 -----
17:28:59 # Running: openssl req -new -nodes -keyout
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/server.key-out
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/server.csr-subj /CN=server
 
17:28:59 Generating a RSA private key
17:28:59 ..............+++++
17:28:59 .............+++++
17:28:59 writing new private key to '/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/server.key'
17:28:59 -----
17:28:59 # Running: openssl x509 -req -in /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/server.csr -CA
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/ca.crt-CAkey
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/ca.key-CAcreateserial -out
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd-certs/server.crt
17:28:59 Signature ok
17:28:59 subject=CN = server
17:28:59 Getting CA Private Key
17:28:59 # Running: /usr/sbin/slapd -f /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/slapd.conf -h
ldap://localhost:53076ldaps://localhost:53077
 
17:28:59 # Running: ldapsearch -h localhost -p 53076 -s base -b dc=example,dc=net -D cn=Manager,dc=example,dc=net -y
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/ldappassword-n 'objectclass=*'
 
17:28:59 # extended LDIF
17:28:59 #
17:28:59 # LDAPv3
17:28:59 # base <dc=example,dc=net> with scope baseObject
17:28:59 # filter: 'objectclass=*'
17:28:59 # requesting: ALL
17:28:59 #
17:28:59 
17:28:59 # loading LDAP data
17:28:59 # Running: ldapadd -x -y /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/ldappassword -f authdata.ldif
17:28:59 adding new entry "dc=example,dc=net"
17:28:59 
17:28:59 adding new entry "uid=test1,dc=example,dc=net"
17:28:59 
17:28:59 adding new entry "uid=test2,dc=example,dc=net"
17:28:59 
17:28:59 # Running: ldappasswd -x -y /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/ldappassword -s secret1
uid=test1,dc=example,dc=net
17:28:59 # Running: ldappasswd -x -y /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/ldappassword -s secret2
uid=test2,dc=example,dc=net
17:28:59 # setting up PostgreSQL instance
17:28:59 # Checking port 53078
17:28:59 # Found port 53078
17:28:59 Name: node
17:28:59 Data directory: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata
17:28:59 Backup directory: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/backup
17:28:59 Archive directory: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/archives
17:28:59 Connection string: port=53078 host=/tmp/gM2rQtsMib
17:28:59 Log file: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.log
17:28:59 # Running: initdb -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -A trust -N
17:28:59 The files belonging to this database system will be owned by user "buildd".
17:28:59 This user must also own the server process.
17:28:59 
17:28:59 The database cluster will be initialized with locale "C".
17:28:59 The default database encoding has accordingly been set to "SQL_ASCII".
17:28:59 The default text search configuration will be set to "english".
17:28:59 
17:28:59 Data page checksums are disabled.
17:28:59 
17:28:59 creating directory /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata ... ok
17:28:59 creating subdirectories ... ok
17:28:59 selecting dynamic shared memory implementation ... posix
17:28:59 selecting default max_connections ... 100
17:28:59 selecting default shared_buffers ... 128MB
17:28:59 selecting default time zone ... Etc/UTC
17:28:59 creating configuration files ... ok
17:28:59 running bootstrap script ... ok
17:28:59 performing post-bootstrap initialization ... ok
17:28:59 
17:28:59 Sync to disk skipped.
17:28:59 The data directory might become corrupt if the operating system crashes.
17:28:59 
17:28:59 Success. You can now start the database server using:
17:28:59 
17:28:59     pg_ctl -D '/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata' -l logfile start
17:28:59 
17:28:59 # Running: /<<PKGBUILDDIR>>/build/src/test/ldap/../../../src/test/regress/pg_regress --config-auth
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata
17:28:59 ### Starting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.log-o --cluster-name=node start
 
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31451
17:28:59 # running tests
17:28:59 # simple bind
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31466
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test0"
17:28:59 ok 1 - simple bind authentication fails if user not found in LDAP
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 2 - simple bind authentication fails with wrong password
17:28:59 1
17:28:59 ok 3 - simple bind authentication succeeds
17:28:59 # search+bind
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31481
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test0"
17:28:59 ok 4 - search+bind authentication fails if user not found in LDAP
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 5 - search+bind authentication fails with wrong password
17:28:59 1
17:28:59 ok 6 - search+bind authentication succeeds
17:28:59 # multiple servers
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31496
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test0"
17:28:59 ok 7 - search+bind authentication fails if user not found in LDAP
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 8 - search+bind authentication fails with wrong password
17:28:59 1
17:28:59 ok 9 - search+bind authentication succeeds
17:28:59 # LDAP URLs
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31511
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test0"
17:28:59 ok 10 - search+bind with LDAP URL authentication fails if user not found in LDAP
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 11 - search+bind with LDAP URL authentication fails with wrong password
17:28:59 1
17:28:59 ok 12 - search+bind with LDAP URL authentication succeeds
17:28:59 # search filters
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31526
17:28:59 1
17:28:59 ok 13 - search filter finds by uid
17:28:59 1
17:28:59 ok 14 - search filter finds by mail
17:28:59 # search filters in LDAP URLs
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31539
17:28:59 1
17:28:59 ok 15 - search filter finds by uid
17:28:59 1
17:28:59 ok 16 - search filter finds by mail
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31552
17:28:59 1
17:28:59 ok 17 - combined LDAP URL and search filter
17:28:59 # diagnostic message
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31564
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 18 - any attempt fails due to bad search pattern
17:28:59 # TLS
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31575
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 not ok 19 - StartTLS
17:28:59 
17:28:59 #   Failed test 'StartTLS'
17:28:59 #   at t/001_auth.pl line 169.
17:28:59 #          got: '2'
17:28:59 #     expected: '0'
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31586
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 not ok 20 - LDAPS
17:28:59 
17:28:59 #   Failed test 'LDAPS'
17:28:59 #   at t/001_auth.pl line 169.
17:28:59 #          got: '2'
17:28:59 #     expected: '0'
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31597
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 not ok 21 - LDAPS with URL
17:28:59 
17:28:59 #   Failed test 'LDAPS with URL'
17:28:59 #   at t/001_auth.pl line 169.
17:28:59 #          got: '2'
17:28:59 #     expected: '0'
17:28:59 ### Restarting node "node"
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -l
/<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/log/001_auth_node.logrestart
 
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 waiting for server to start.... done
17:28:59 server started
17:28:59 # Postmaster PID for node "node" is 31608
17:28:59 psql: error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
17:28:59 ok 22 - bad combination of LDAPS and StartTLS
17:28:59 ### Stopping node "node" using mode immediate
17:28:59 # Running: pg_ctl -D /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata -m immediate
stop
17:28:59 waiting for server to shut down.... done
17:28:59 server stopped
17:28:59 # No postmaster PID for node "node"
17:28:59 # Looks like you failed 3 tests of 22.
17:28:59 make[1]: *** [debian/rules:193: override_dh_auto_test-arch] Error 1

Christoph



Re: ldap tls test fails in some environments

From
Thomas Munro
Date:
On Thu, May 14, 2020 at 4:05 AM Christoph Berg <myon@debian.org> wrote:
> Some other problem emerged here in the ldap test:

Hi Christoph,

> 17:28:59 Data directory: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata

I know nothing about Debian package building so I could be missing
something about how this works, but I wonder if our script variable
handling is hygienic enough for paths like that.  Let's see... I get
an error due to that when I run "make -C src/test/ldap check" from a
source tree under "/<<PKGBUILDDIR>>/build":

sh: 1: cannot create /build/src/test/ldap/tmp_check/slapd.pid:
Directory nonexistent

That's fixable with:

-       kill 'INT', `cat $slapd_pidfile` if -f $slapd_pidfile;
+       kill 'INT', `cat "$slapd_pidfile"` if -f "$slapd_pidfile";

That's a side issue, though.

> 17:28:59 # TLS
> 17:28:59 not ok 19 - StartTLS
> 17:28:59 not ok 20 - LDAPS
> 17:28:59 not ok 21 - LDAPS with URL

> It consistently fails on the build server, but works on my notebook.
> Maybe that simply means slapd is crashing, but there's no slapd
> output. Would it be possible to start slapd with "-d 255", even if
> that means it doesn't background itself?

That'd require more scripting to put it in the background...

> 17:28:59 2020-05-13 15:28:58.479 UTC [31584] [unknown] LOG:  could not start LDAP TLS session: Connect error

> 17:28:59 2020-05-13 15:28:58.728 UTC [31595] [unknown] LOG:  could not perform initial LDAP bind for ldapbinddn "" on
server"localhost": Can't contact LDAP server
 

Hmm, I get exactly the same errors as this if I comment out the
following part of the test script:

  # don't bother to check the server's cert (though perhaps we should)
  append_to_file(
      $ldap_conf,
      qq{TLS_REQCERT never
  });

That's a file that we point to with the environment variable LDAPCONF.
The man page for ldap.conf says:

       Thus the following files and variables are read, in order:
           variable     $LDAPNOINIT, and if that is not set:
           system file  /etc/ldap/ldap.conf,
           user files   $HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
           system file  $LDAPCONF,
           user files   $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
           variables    $LDAP<uppercase option name>.
       Settings late in the list override earlier ones.

This leads me to suspect that something in your build server's
environment that comes later in that list is overridding the
TLS_REQCERT setting.  If that's the explanation, perhaps we should do
this, which seems to work OK on my system, since it comes last in the
list:

-$ENV{'LDAPCONF'}   = $ldap_conf;
+$ENV{'LDAPTLS_REQCERT'} = "never";



Re: ldap tls test fails in some environments

From
Christoph Berg
Date:
Re: Thomas Munro
> > 17:28:59 Data directory: /<<PKGBUILDDIR>>/build/src/test/ldap/tmp_check/t_001_auth_node_data/pgdata
> 
> I know nothing about Debian package building so I could be missing
> something about how this works, but I wonder if our script variable
> handling is hygienic enough for paths like that.

That's from the sbuild log filter, the special chars are not the
problem:

17:06:41 I: NOTICE: Log filtering will replace 'build/postgresql-13-fdfISX/postgresql-13-13~~devel~20200513.1505' with
'<<PKGBUILDDIR>>'
17:06:41 I: NOTICE: Log filtering will replace 'build/postgresql-13-fdfISX' with '<<BUILDDIR>>'

> > It consistently fails on the build server, but works on my notebook.
> > Maybe that simply means slapd is crashing, but there's no slapd
> > output. Would it be possible to start slapd with "-d 255", even if
> > that means it doesn't background itself?
> 
> That'd require more scripting to put it in the background...

Maybe adding "&" is enough, provided it still writes the pid file for
shutting down...

> This leads me to suspect that something in your build server's
> environment that comes later in that list is overridding the
> TLS_REQCERT setting.  If that's the explanation, perhaps we should do
> this, which seems to work OK on my system, since it comes last in the
> list:

It's not messing with environment variables in that area.

I'll see if I can catch a shell in the environment where it fails.

Christoph



Re: ldap tls test fails in some environments

From
Christoph Berg
Date:
> I'll see if I can catch a shell in the environment where it fails.

It failed right away when I tried on the buildd machine:

The slapd debug log is mostly garbage to me, the error seems to be
this:
ldap_read: want=8 error=Resource temporarily unavailable


src/test/ldap/t/001_auth.pl:

system_or_bail "sh", "-c", "$slapd -f $slapd_conf -h '$ldap_url $ldaps_url' -d 255 &";

END
{
        kill 'INT', `cat $slapd_pidfile` if -f $slapd_pidfile;
}


tmp_check/log/001_auth_node.log:

2020-05-15 14:06:18.915 CEST [30486] [unknown] LOG:  could not start LDAP TLS session: Connect error
2020-05-15 14:06:18.916 CEST [30486] [unknown] FATAL:  LDAP authentication failed for user "test1"
2020-05-15 14:06:18.916 CEST [30486] [unknown] DETAIL:  Connection matched pg_hba.conf line 1: "local all all ldap
ldapserver=localhostldapport=65510 ldapbasedn="dc=example,dc=net" ldapsearchfilter="(uid=$username)" ldaptls=1"
 


tmp_check/log/regress_log_001_auth:

# TLS
### Restarting node "node"
# Running: pg_ctl -D /home/myon/postgresql-13-13~~devel~20200515.0434/build/src/test/ldap/tmp_ch
eck/t_001_auth_node_data/pgdata -l /home/myon/postgresql-13-13~~devel~20200515.0434/build/src/te
st/ldap/tmp_check/log/001_auth_node.log restart
waiting for server to shut down.... done
server stopped
waiting for server to start.... done
server started
# Postmaster PID for node "node" is 30477
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on:
5ebe85ba slap_listener_activate(6):
5ebe85ba daemon: epoll: listen=6 busy
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba >>> slap_listener(ldap://localhost:65510)
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ebe85ba daemon: accept() = 10
5ebe85ba daemon: listen=6, new connection on 10
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on:
5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ebe85ba daemon: added 10r (active) listener=(nil)
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on: 10r
5ebe85ba daemon: read active on 10
5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ebe85ba connection_get(10)
5ebe85ba connection_get(10): got connid=1033
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba connection_read(10): checking for input on id=1033
ber_get_next
5ebe85ba daemon: activity on:
5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
ldap_read: want=8, got=8
  0000:  30 1d 02 01 01 77 18 80                            0....w..
ldap_read: want=23, got=23
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
  0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34 36   .1.3.6.1.4.1.146
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
  0010:  36 2e 32 30 30 33 37                               6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x7fa8ec107910 ptr=0x7fa8ec107910 end=0x7fa8ec10792d len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037
5ebe85ba op tag 0x77, time 1589544378
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5ebe85ba conn=1033 op=0 do_extended
ber_scanf fmt ({m) ber:
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on:ber_dump: buf=0x7fa8ec107910 ptr=0x7fa8ec107913 end=0x7fa8ec10792d len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037

5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ebe85ba do_extended: oid=1.3.6.1.4.1.1466.20037
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ebe85ba send_ldap_extended: err=0 oid= len=0
5ebe85ba send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 10
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on: 10r
5ebe85ba daemon: read active on 10
5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
psql:5ebe85ba connection_get(10)
 error: could not connect to server: FATAL:  LDAP authentication failed for user "test1"
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ebe85ba connection_get(10): got connid=1033
5ebe85ba connection_read(10): checking for input on id=1033
tls_read: want=5, got=5
  0000:  30 05 02 01 02                                     0....
TLS: can't accept: An unexpected TLS packet was received..
5ebe85ba connection_read(10): TLS accept failure error=-1 id=1033, closing
5ebe85ba connection_closing: readying conn=1033 sd=10 for close
5ebe85ba connection_close: conn=1033 sd=10
5ebe85ba daemon: removing 10
5ebe85ba daemon: activity on 1 descriptor
5ebe85ba daemon: activity on:
5ebe85ba daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ebe85ba daemon: epoll: listen=9 active_threads=0 tvp=NULL
not ok 19 - StartTLS

#   Failed test 'StartTLS'
#   at t/001_auth.pl line 169.
#          got: '2'
#     expected: '0'
### Restarting node "node"


Christoph



Re: ldap tls test fails in some environments

From
Tom Lane
Date:
Christoph Berg <myon@debian.org> writes:
> The slapd debug log is mostly garbage to me, the error seems to be
> this:
> ldap_read: want=8 error=Resource temporarily unavailable

Hm, so EAGAIN (although that's a BSD-ish spelling of the strerror
string, which seems pretty odd in a Debian context).  I don't think
that's actually an error, it's just the daemon's data collection
logic trying to read data that isn't there.  It then goes on and
issues a response, so this must not indicate that the request is
incomplete --- it's just a useless speculative read.

Somebody should get out the LDAP RFCs and decode the packet contents
that this log helpfully provides, but I suspect that we're just looking
at an authentication failure; there's still not much clue as to why.

            regards, tom lane



Re: ldap tls test fails in some environments

From
Christoph Berg
Date:
Re: Tom Lane
> Somebody should get out the LDAP RFCs and decode the packet contents
> that this log helpfully provides, but I suspect that we're just looking
> at an authentication failure; there's still not much clue as to why.

The non-TLS tests work, so it's not a plain auth failure...

I'm attaching the full logs from that test, maybe someone with more
insight can compare the non-TLS with the TLS bits.

Would it help to re-run that with log_debug on the PG side?

Christoph

Attachment

Re: ldap tls test fails in some environments

From
Thomas Munro
Date:
On Sat, May 16, 2020 at 2:25 AM Christoph Berg <myon@debian.org> wrote:
> > Somebody should get out the LDAP RFCs and decode the packet contents
> > that this log helpfully provides, but I suspect that we're just looking
> > at an authentication failure; there's still not much clue as to why.
>
> The non-TLS tests work, so it's not a plain auth failure...
>
> I'm attaching the full logs from that test, maybe someone with more
> insight can compare the non-TLS with the TLS bits.
>
> Would it help to re-run that with log_debug on the PG side?

In your transcript for test 20, it looks like the client (PostgreSQL)
is hanging up without even sending a TLS ClientHello:

tls_read: want=5, got=0
...
psql:TLS: can't accept: The TLS connection was non-properly terminated..

With 001_auth.tl hacked to enable debug as you suggested*, on a local
Debian 10 system I see:

tls_read: want=5, got=5
  0000:  16 03 01 01 4c                                     ....L

That's: 0x16 = handshake record, 0x03 0x01 = TLS 1.0, and then a
record length for the following ClientHello.  You're not even getting
that far, so I guess libdap is setting up the connection but then the
GNU TLS library (what Debian links libldap against) is not happy, even
before any negotiations begin.  I wonder how to figure out why... does
this tell you anything?

 $ENV{'LDAPCONF'}   = $ldap_conf;
+$ENV{"GNUTLS_DEBUG_LEVEL"} = '99';

* Like this:
-system_or_bail $slapd, '-f', $slapd_conf, '-h', "$ldap_url $ldaps_url";
+system("$slapd -d 255 -f $slapd_conf -h '$ldap_url $ldaps_url' &");



Re: ldap tls test fails in some environments

From
Christoph Berg
Date:
Re: Thomas Munro
> In your transcript for test 20, it looks like the client (PostgreSQL)
> is hanging up without even sending a TLS ClientHello:

Maybe tests 19 and 20 are failing because 18 was already bad. (But
probably not.)

> I wonder how to figure out why... does this tell you anything?
> 
>  $ENV{'LDAPCONF'}   = $ldap_conf;
> +$ENV{"GNUTLS_DEBUG_LEVEL"} = '99';

Sorry, I had not seen your message until now. Logs attached.

Even ldapsearch ... -ZZ is failing with that slapd config, so it's not
a PG problem.

$ GNUTLS_DEBUG_LEVEL=99 ldapsearch -h localhost -p 56118 -s base -b dc=example,dc=net -D cn=Manager,dc=example,dc=net
-y/home/myon/postgresql-13-13~~devel~20200515.0434/build/src/test/ldap/tmp_check/ldappassword -n 'objectclass=*' -ZZ
 
gnutls[2]: Enabled GnuTLS 3.6.13 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: activity on:
5ec3ec38 slap_listener_activate(6):
5ec3ec38 daemon: epoll: listen=6 busy
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ec3ec38 >>> slap_listener(ldap://localhost:56118)
5ec3ec38 daemon: accept() = 10
5ec3ec38 daemon: listen=6, new connection on 10
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: activity on:
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ec3ec38 daemon: added 10r (active) listener=(nil)
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: activity on: 10r
5ec3ec38 daemon: read active on 10
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ec3ec38 connection_get(10)
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 connection_get(10): got connid=1000
5ec3ec38 connection_read(10): checking for input on id=1000
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ec3ec38 daemon: activity on 1 descriptor
ber_get_next
5ec3ec38 daemon: activity on:
ldap_read: want=8, got=8
  0000:  30 1d 02 01 01 77 18 80                            0....w..
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
ldap_read: want=23, got=23
  0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34 36   .1.3.6.1.4.1.146
  0010:  36 2e 32 30 30 33 37                               6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x7f0c50000bc0 ptr=0x7f0c50000bc0 end=0x7f0c50000bdd len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037
5ec3ec38 op tag 0x77, time 1589898296
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5ec3ec38 conn=1000 op=0 do_extended
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: activity on:
ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f0c50000bc0 ptr=0x7f0c50000bc3 end=0x7f0c50000bdd len=26
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ec3ec38 do_extended: oid=1.3.6.1.4.1.1466.20037
5ec3ec38 send_ldap_extended: err=0 oid= len=0
5ec3ec38 send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 10
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
gnutls[2]: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
gnutls[3]: ASSERT: ../../../lib/x509/verify-high2.c[gnutls_x509_trust_list_add_trust_file]:361
ldap_start_tls: Connect error (-11)
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: activity on: 10r
5ec3ec38 daemon: read active on 10
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 connection_get(10)
5ec3ec38 connection_get(10): got connid=1000
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL
5ec3ec38 connection_read(10): checking for input on id=1000
tls_read: want=5, got=5
  0000:  30 05 02 01 02                                     0....
TLS: can't accept: An unexpected TLS packet was received..
5ec3ec38 connection_read(10): TLS accept failure error=-1 id=1000, closing
5ec3ec38 connection_closing: readying conn=1000 sd=10 for close
5ec3ec38 connection_close: conn=1000 sd=10
5ec3ec38 daemon: activity on 1 descriptor
5ec3ec38 daemon: removing 10
5ec3ec38 daemon: activity on:
5ec3ec38 daemon: epoll: listen=6 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ec3ec38 daemon: epoll: listen=9 active_threads=0 tvp=NULL

There is an assertion failure:

gnutls[3]: ASSERT: ../../../lib/x509/verify-high2.c[gnutls_x509_trust_list_add_trust_file]:361

https://sources.debian.org/src/gnutls28/3.6.13-2/lib/x509/verify-high2.c/#L361

... which doesn't make sense to me yet.

Christoph

Attachment