Hi Joshua, the problem exists since ubuntu17.10. (slapd-2.4.45+dfsg-1ubuntu1). Dhparam created with openssl without the '-dsaparam' work fine. Here is a full log take while trying to add the dhparam with '-dsaparam'.
Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: slap_listener_activate(10): Okt 19 09:34:55 dc01 slapd[7928]: >>> slap_listener(ldapi:///) Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 busy Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=0 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: listen=10, new connection on 14 Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: 14r Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: read active on 14 Okt 19 09:34:55 dc01 slapd[7928]: daemon: added 14r (active) listener=(nil) Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14) Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14): got connid=1111 Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): checking for input on id=1111 Okt 19 09:34:55 dc01 slapd[7928]: op tag 0x60, time 1508398495 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=0 do_bind Okt 19 09:34:55 dc01 slapd[7928]: >>> dnPrettyNormal: <> Okt 19 09:34:55 dc01 slapd[7928]: <<< dnPrettyNormal: <>, <> Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=0 BIND dn="" method=163 Okt 19 09:34:55 dc01 slapd[7928]: do_bind: dn () SASL mech EXTERNAL Okt 19 09:34:55 dc01 slapd[7928]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 Okt 19 09:34:55 dc01 slapd[7928]: SASL Canonicalize [conn=1111]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Okt 19 09:34:55 dc01 slapd[7928]: slap_sasl_getdn: conn 1111 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] Okt 19 09:34:55 dc01 slapd[7928]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN Okt 19 09:34:55 dc01 slapd[7928]: <==slap_sasl2dn: Converted SASL name to <nothing> Okt 19 09:34:55 dc01 slapd[7928]: SASL Canonicalize [conn=1111]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Okt 19 09:34:55 dc01 slapd[7928]: SASL proxy authorize [conn=1111]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Okt 19 09:34:55 dc01 slapd[7928]: SASL Authorize [conn=1111]: proxy authorization allowed authzDN="" Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_sasl: err=0 len=-1 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71 Okt 19 09:34:55 dc01 slapd[7928]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0 Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_response: msgid=1 tag=97 err=0 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=0 RESULT tag=97 err=0 text= Okt 19 09:34:55 dc01 slapd[7928]: <== slap_sasl_bind: rc=0 Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: 14r Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: read active on 14 Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14) Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14): got connid=1111 Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): checking for input on id=1111 Okt 19 09:34:55 dc01 slapd[7928]: op tag 0x66, time 1508398495 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 do_modify Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 do_modify: dn (cn=config) Okt 19 09:34:55 dc01 slapd[7928]: >>> dnPrettyNormal: <cn=config> Okt 19 09:34:55 dc01 slapd[7928]: <<< dnPrettyNormal: <cn=config>, <cn=config> Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 modifications: Okt 19 09:34:55 dc01 slapd[7928]: replace: olcTLSDHParamFile Okt 19 09:34:55 dc01 slapd[7928]: one value, length 21 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 MOD dn="cn=config" Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 MOD attr=olcTLSDHParamFile Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: result not in cache (olcTLSDHParamFile) Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: delete access to "cn=config" "olcTLSDHParamFile" requested Okt 19 09:34:55 dc01 slapd[7928]: => acl_get: [1] attr olcTLSDHParamFile Okt 19 09:34:55 dc01 slapd[7928]: => acl_mask: access to entry "cn=config", attr "olcTLSDHParamFile" requested Okt 19 09:34:55 dc01 slapd[7928]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Okt 19 09:34:55 dc01 slapd[7928]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Okt 19 09:34:55 dc01 slapd[7928]: <= check a_authz.sai_ssf: ACL 71 > OP 71 Okt 19 09:34:55 dc01 slapd[7928]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Okt 19 09:34:55 dc01 slapd[7928]: <= acl_mask: [1] mask: manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: => slap_access_allowed: delete access granted by manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: delete access granted by manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: result not in cache (olcTLSDHParamFile) Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: add access to "cn=config" "olcTLSDHParamFile" requested Okt 19 09:34:55 dc01 slapd[7928]: => acl_get: [1] attr olcTLSDHParamFile Okt 19 09:34:55 dc01 slapd[7928]: => acl_mask: access to entry "cn=config", attr "olcTLSDHParamFile" requested Okt 19 09:34:55 dc01 slapd[7928]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Okt 19 09:34:55 dc01 slapd[7928]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Okt 19 09:34:55 dc01 slapd[7928]: <= check a_authz.sai_ssf: ACL 71 > OP 71 Okt 19 09:34:55 dc01 slapd[7928]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Okt 19 09:34:55 dc01 slapd[7928]: <= acl_mask: [1] mask: manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: => slap_access_allowed: add access granted by manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: => access_allowed: add access granted by manage(=mwrscxd) Okt 19 09:34:55 dc01 slapd[7928]: slap_queue_csn: queueing 0x7fa448108610 20171019073455.596594Z#000000#000#000000 Okt 19 09:34:55 dc01 slapd[7928]: oc_check_required entry (cn=config), objectClass "olcGlobal" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "objectClass" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "cn" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcArgsFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcIdleTimeout" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcPidFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcThreads" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcToolThreads" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "structuralObjectClass" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "entryUUID" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "creatorsName" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "createTimestamp" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSCACertificateFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSCertificateFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSCertificateKeyFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSCipherSuite" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSProtocolMin" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSVerifyClient" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcLogLevel" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "olcTLSDHParamFile" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "entryCSN" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "modifiersName" Okt 19 09:34:55 dc01 slapd[7928]: oc_check_allowed type "modifyTimestamp" Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_result: conn=1111 op=1 p=3 Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_result: err=80 matched="" text="" Okt 19 09:34:55 dc01 slapd[7928]: send_ldap_response: msgid=2 tag=103 err=80 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=1 RESULT tag=103 err=80 text= Okt 19 09:34:55 dc01 slapd[7928]: slap_graduate_commit_csn: removing 0x7fa448108610 20171019073455.596594Z#000000#000#000000 Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: 14r Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: read active on 14 Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14) Okt 19 09:34:55 dc01 slapd[7928]: connection_get(14): got connid=1111 Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): checking for input on id=1111 Okt 19 09:34:55 dc01 slapd[7928]: op tag 0x42, time 1508398495 Okt 19 09:34:55 dc01 slapd[7928]: ber_get_next on fd 14 failed errno=0 (Success) Okt 19 09:34:55 dc01 slapd[7928]: connection_read(14): input error=-2 id=1111, closing. Okt 19 09:34:55 dc01 slapd[7928]: connection_closing: readying conn=1111 sd=14 for close Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on 1 descriptor Okt 19 09:34:55 dc01 slapd[7928]: daemon: activity on: Okt 19 09:34:55 dc01 slapd[7928]: Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=8 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=9 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=10 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=11 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: daemon: epoll: listen=12 active_threads=1 tvp=zero Okt 19 09:34:55 dc01 slapd[7928]: connection_close: deferring conn=1111 sd=14 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=2 do_unbind Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 op=2 UNBIND Okt 19 09:34:55 dc01 slapd[7928]: connection_resched: attempting closing conn=1111 sd=14 Okt 19 09:34:55 dc01 slapd[7928]: connection_close: conn=1111 sd=14 Okt 19 09:34:55 dc01 slapd[7928]: daemon: removing 14 Okt 19 09:34:55 dc01 slapd[7928]: conn=1111 fd=14 closed Best regards, Thorsten -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1724285 Title: Diffie Hellman parameter created with paramter "-dsaparam" stopped working with slapd Status in openldap package in Ubuntu: Incomplete Bug description: If the dh parameter is created with openssl and the '-dsaparam' parameter is set the resulting diffi hellman paramter can not be added to the openldap server. If a existing dhparam is replaced with one which is create with '-dsaparam' slapd wont start anymore. From the openssl manpage: -dsaparam If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation. DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise. # Works with openldap 2.4.44+dfsg-3ubuntu2.1 and 2.4.45+dfsg-1ubuntu1 openssl dhparam -outform PEM -out dhparam.pem 2048 # Works only with 2.4.44+dfsg-3ubuntu2.1 openssl dhparam -dsaparam -outform PEM -out dhparam.pem 2048 Adding to ldap: dn: cn=config changetype: modify replace: olcTLSDHParamFile olcTLSDHParamFile: /etc/ldap/ssl/dhparam.pem Error message from ldap server: ldap_modify: Other (e.g., implementation specific) error (80) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1724285/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
