[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: client can StartTLS from ldapsearch but not getent/pam_ldap
Then your problem must not be in OpenLDAP Software itself,
but in getent (nss_ldap) and pam_ldap. You should take those
problems to the nssldap@padl.com and pamldap@padl.com mailing
list.
Kurt
At 09:16 PM 1/25/2004, Fran Fabrizio wrote:
>I have a known-good server-side config for doing StartTLS on my LDAP server - it's only listening on the ldap port and I can watch by looking at tcpdump output that after the server and client negotiate the StartTLS, it all goes to gibberish.
>
>Now, on the client, the following command:
>
># ldapsearch -x -b 'dc=cis,dc=uab,dc=edu' -D "cn=manager,dc=cis,dc=uab,dc=edu" '(objectclass=*)' -H <ldap://ldap.cis.uab.edu>ldap://ldap.cis.uab.edu -W -ZZ
>
>works great and I get back all the data in the directory as expected, so it would appear that the client is capable of StartTLS.
>
>However, on the same client, if I try:
>
># getent passwd
>
>I don't see any of the accounts from the LDAP database. The errors I am seeing on the server look like:
>
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>tls_write: want=1721, written=1721
> 0000: 16 03 01 00 4a 02 00 00 46 03 01 40 14 b0 7a d8 <mailto:....J...F..@..z>....J...F..@..z.
> 0010: 64 22 54 5f 96 43 c1 4c 20 e1 59 c1 ae b3 95 f3 d"T_.C.L .Y.....
> 0020: 6f 59 0b fb 36 7b 42 67 27 00 f2 20 40 2b ae c6 oY..6{Bg'.. @+..
>[snip]
>
> 0660: ac 2f 44 18 ca eb 9f 2b c7 c0 17 0a 04 64 e1 66 ./D....+.....d.f
> 0670: 32 55 23 1a 91 77 69 b0 9d 36 67 cf 3c 19 54 f1 2U#..wi..6g.<.T.
> 0680: 25 15 88 7c a6 f9 67 df 36 0f 0a cb 51 ac 29 10 %..|..g.6...Q.).
> 0690: 92 87 9f 29 4c 01 a2 96 d1 ea 01 e8 23 ae e8 b8 ...)L.......#...
> 06a0: 41 34 96 4a b2 85 85 dd 5d be cb 53 7b 4d 60 12 A4.J....]..S{M`.
> 06b0: 16 03 01 00 04 0e 00 00 00 .........
>TLS trace: SSL_accept:SSLv3 flush data
>tls_read: want=5 error=Resource temporarily unavailable
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>daemon: select: listen=6 active_threads=0 tvp=NULL
>daemon: activity on 1 descriptors
>daemon: activity on: 9r
>daemon: read activity on 9
>connection_get(9)
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>tls_read: want=5, got=5
> 0000: 16 03 01 00 86 .....
>tls_read: want=134, got=134
> 0000: 10 00 00 82 00 80 b7 66 22 6e b8 dd 21 a6 75 95 .......f"n..!.u.
> 0010: 14 ee c9 d3 ee 0d cb 00 74 d6 0d 06 63 0a 21 e4 ..
>
>Now, if I comment out everything TLS-related from slapd.conf and ldap.conf on the server and client, I see the accounts just fine, so the pam_filter and such is all working just fine. But I can't get the client to negotiate a TLS connection when using getent, whereas it negotiates one fine when I run ldapsearch. Thoughts of things to look at? nsswitch is set "passwd files ldap" and as mentioned works fine when I comment out TLS-related settings in ldap.conf and slapd.conf.
>
>My client ldap.conf contains (relevant to TLS):
>
>ssl start_tls
>TLS_CACERT /tmp/demoCA/cacert.pem
>TLS_REQCERT demand
>
>My server slapd.conf contains:
>
>TLSCipherSuite HIGH:MEDIUM:+SSLv2
>TLSCACertificateFile /usr/local/var/myCA/demoCA/cacert.pem
>TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem
>TLSCertificateKey /usr/local/var/openldap-data/serverkey.pem
># will want to do this eventually but first things first
>TLSVerifyClient never
>
>Any ideas much appreciated.
>
>Thanks,
>Fran