[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS/SSL problems
I'm having some trouble getting the PADL nss_ldap module to communicate to
OpenLDAP through TLS/SSL. nss_ldap works fine in cleartext. I've added a
user to the LDAP database and then chowned a file on the client machine to
that UID. When I do an ls -l I see the username rather than the uid, and on
the LDAP server side I see the debug output showing that a request was made.
I can't seem to get TLS working though. I've followed all the steps on
http://www.bolthole.com/solaris/LDAP.html. When I modify /etc/ldap.conf on
the client side and set uri ldaps://ldapserver/ it stops working. I've got
slapd started on ldapserver with the following syntax
/opt/openldap/libexec/slapd -d9 -h ldaps:/// -h ldap:///
but nothing seems to be working. I ran lsof and I saw that the ldap and
ldaps ports were listening and I verified I can telnet to the ports. When I
telnet to the ldaps port slapd dumps the following output to stdout:
daemon: activity on 1 descriptors
daemon: new connection on 8
daemon: added 8r
daemon: activity on:
daemon: select: listen=7 active_threads=0 tvp=NULL
No matter how I seem to configure /etc/ldap.conf I can't seem to get it to
use ldaps, in fact it's not even connecting to the server (if it were I'd
see the above message in the slapd logs). I've tried setting /etc/ldap.conf
many different ways but I've had no luch. I've added a line saying port
636, then I commented it out. I added:
ssl start_tls
ssl true
but this had no effect. I've also used the IP address in the uri
configuration but that hasn't worked either.
I've even run truss -o /tmp/out ls -l and examined the output. It is
reading /etc/ldap.conf and /etc/ldap.secret but never establishing a
connection to the slapd server.
Are there any tricks to troubleshooting problems on the ldap client side?
Does anyone know why in ldaps it would fail before it even contacts the ldap
server, but in plaintext ldap it would work fine?
Thanks in advance,
Terry Ewing
Info about systems:
Specific info about my testlab:
2 Netra T1 servers each running Solaris 8 (04/01)
openldap 2.0.19 on ldap server
ANDIrand-0.7-5.8 on both server and client to provide /dev/random and
/dev/urandom
nss_ldap and pam_ldap from PADL running on client machine
lsof output from ls -l listing for failed ldaps session
truss | grep open
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 3
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
open("/usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1", O_RDONLY) = 3
open64(".", O_RDONLY|O_NDELAY) = 3
open64("/etc/.name_service_door", O_RDONLY) = 3
open("/etc/nsswitch.conf", O_RDONLY) = 3
open("/usr/lib/nss_files.so.1", O_RDONLY) = 3
open("/usr/lib/libnsl.so.1", O_RDONLY) = 3
open("/usr/lib/libmp.so.2", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
open64("/etc/.name_service_door", O_RDONLY) = 3
open("/etc/group", O_RDONLY) = 3
open("/usr/share/lib/zoneinfo/US/Eastern", O_RDONLY) = 3
open64("/etc/.name_service_door", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
open("/usr/lib/nss_ldap.so.1", O_RDONLY) = 3
open("/opt/openssl/lib/libldap.so.4", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libldap.so.4", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libldap.so.4", O_RDONLY) = 3
open("/opt/openssl/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libresolv.so.2", O_RDONLY) = 3
open("/usr/lib/libsocket.so.1", O_RDONLY) = 3
open("/etc/ldap.conf", O_RDONLY) = 3
open("/etc/ldap.secret", O_RDONLY) = 3
open("/etc/irs.conf", O_RDONLY) Err#2 ENOENT
open("/etc/hesiod.conf", O_RDONLY) Err#2 ENOENT
open("/etc/resolv.conf", O_RDONLY) = 3
open("/etc/resolv.conf", O_RDONLY) = 3
open("/etc/resolv.conf", O_RDONLY) = 3
open64("/etc/.name_service_door", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
open("/etc/ldap.conf", O_RDONLY) = 3
open("/etc/ldap.secret", O_RDONLY) = 3