Re: libnss-ldap and slapd (was: TLS configuration needs client certification (why?))

["Buchan Milne" <bgmilne@gmail.com>]

On 8/23/07, Frank Cornelissen <frankc@t310.org> wrote:
>
> On Aug 15, 2007, at 9:00 AM, Frank Cornelissen wrote:
>
> > Hello all,
> >
> > why does slapd require a peer/client certificate? I'm slapd 2.3.30
> > on debian (package 2.3.30-5 to be precise).
> >
> > when connexting with ssl to slapd using
> >
> >         ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
> >
> > I get the following error from slapd (started with -d 8):
> >
> >         TLS: can't accept.
> >         TLS: error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> > certificate s3_srvr.c:2455
> >
>
> <snip>
>
> After some debugging, this seems to be caused by the fact that on
> this machine libnss-ldap is enabled. This library will be loaded and
> will set some libldap options which seem to be global and thus
> interfering with the options from slapd. Anybody got an idea how to
> solve this, apart from setting up a seperate machine for openldap|?

I haven't looked at this specific issue, but other issues relating to
using ldap-enabled software on a host using nss_ldap could be worked
around by using nscd. However, the problems I've seen were fixed in
the latest release of nss_ldap (257). Versions affected were at least
254-256, but it may depend on the ssl library (and version).

More details would help ... (if this hasn't been resolved yet).