[Date Prev][Date Next] [Chronological] [Thread] [Top]

OL2.3.11 ldapsearch can bind as root but not as user

To: openldap-software@OpenLDAP.org
Subject: OL2.3.11 ldapsearch can bind as root but not as user
From: Kev Buckley <k.buckley@lancaster.ac.uk>
Date: Wed, 2 Nov 2005 11:40:04 +0000 (GMT)

Hello,

Uaing a from-source install of 2.3.11, built on top of a FedoraCore4
base.

./configure --prefix=/usr/local/packages/openldap-2.3.11
  --libexecdir=/usr/local/packages/openldap-2.3.11/sbin
  --localstatedir=/srv/ldap
  --enable-crypt
  --enable-lmpasswd
  --with-gnu-ld
  --enable-dynamic
  --enable-ldbm
  --enable-debug

ldap.conf contains

TLS_CERT    /etc/pki/tls/certs/slapd.pem
TLS_CACERT  /etc/pki/tls/certs/slapd.pem

As root, this:

ldapsearch  -H "ldaps://myhost.my.domain" -b "o=myorg,c=uk" -W -x "cn=thing"

works fine, as does a bind to the non-secure "ldap://"; URI as a normal user.


However, trying the secure access as a normal user 
  (and adding   -v -d 255)
I am told:

ldap_initialize( ldaps://myhost.my.domain )
ldap_create
ldap_url_parse_ext(ldaps://myhost.my.domain)
Enter LDAP Password: 
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myhost.my.domain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 123.456.78.90:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS: could not load verify locations (file:`/etc/pki/tls/certs/slapd.pem',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279
ldap_perror
ldap_bind: Can't contact LDAP server (-1)

Directory permissions on the path to

 /etc/pki/tls/certs/slapd.pem

are all fine and the file itself is

-rw-rw----  1 root ldap 2316 Oct 28 16:01 /etc/pki/tls/certs/slapd.pem



On a previous incarnation using OL 2.2.nn the permissions of the
slapd.pem (albeit in: /usr/share/ssl/certs ) were the same, though 
we didn't have to add the:

TLS_CERT
TLS_CACERT

stuff to ldap.conf, so maybe no access was being made to the local 
cerificate before ?

I am sure this is merely masking a problem that highlights a gap in my
understanding.


Any ideas ?


-- 
Regards,

----------------------------------------------------------------------
*  Kevin M. Buckley              e-mail: K.Buckley@lancaster.ac.uk   *
*                                                                    *
*  Systems Administrator                                             *
*  Computer Centre                                                   *
*  Lancaster University          Voice:  +44 (0) 1524 5 93718        *
*  LANCASTER. LA1 4YW            Fax  :  +44 (0) 1524 5 25113        *
*  England.                                                          *
*                                                                    *
*  My PC runs Linux/GNU, you still computing the Bill Gate$' way ?   *
----------------------------------------------------------------------

Follow-Ups:
- Re: OL2.3.11 ldapsearch can bind as root but not as user
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Timed out connect
Next by Date: Re: OL2.3.11 ldapsearch can bind as root but not as user
Index(es):
- Chronological
- Thread