[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLSVerifyClient => no login possible
- To: openldap-technical@openldap.org
- Subject: Re: TLSVerifyClient => no login possible
- From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
- Date: Mon, 02 Mar 2009 23:04:51 +0100
- In-reply-to: <87eixkugwd.fsf@rubin.l4b.de>
- References: <49A4693D.2040205@lmv-hartmannsdorf.de> <87hc2i5028.fsf@rubin.l4b.de> <49A56823.3080803@lmv-hartmannsdorf.de> <871vtmh15q.fsf@rubin.l4b.de> <49A70157.6050101@lmv-hartmannsdorf.de> <87eixkugwd.fsf@rubin.l4b.de>
- User-agent: Thunderbird 2.0.0.19 (X11/20081227)
Dieter Kluenter schrieb:
> Hello Sebastian,
>
> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>
>
>> Dieter Kluenter schrieb:
>>
>>> Hello Sebastian,
>>>
>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>
>>>
>>>
>>>> Dieter Kluenter schrieb:
>>>>
>>>>
>>>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>>>
> [...]
>
>>>> Now I have set the loglevel to "3" and I get the following output if I
>>>> try to login (still fails):
>>>>
>>>>
>>> loglevel is != debug level, man slapd(8), run slapd -d3
>>>
>>>
>>>> -------------------/var/log/messages---------------------------------------------------------------------
>>>>
>>>>
>>> [...]
>>>
>>>
>>>> Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
>>>> LDAP server - Server is unavailable
>>>>
>>>>
>>> [...]
>>>
>>>
>>>
>>>> Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
>>>> Connect error
>>>> -------------------/var/log/messages---------------------------------------------------------------------
>>>>
>>>> I am not sure, if this is an configuration or certificate error? Do You
>>>> understand this output above?
>>>>
>>>>
>>> The clients are nss_ldap and pam_ldap, check the clients
>>> configuration for starttls parameters.
>>> With debug level 3 you should see something like
>>>
> [...]
>
>> Sorry. I had not configured the pam_ldap (/etc/ldap.conf) config file
>> properly. The certifikate entries were missing.
>>
>> Here is my /etc/ldap.conf:
>> -------------------/etc/ldap.conf-------------------------------------------
>> host 127.0.0.1
>>
> This Hostadress is probabely not the certifcate DN
>
>
>> base dc=lmv,dc=lmv
>> #uri ldap://127.0.0.1/
>> #uri ldaps://127.0.0.1/
>> #uri ldapi://%2fvar%2frun%2fldapi_sock/
>> #ldap_version 3
>> #binddn cn=proxyuser,dc=example,dc=com
>> #bindpw secret
>> rootbinddn cn=ldaproot,dc=lmv,dc=lmv
>>
>
> To bind as rootdn is not a good idea.
>
> [...]
>
>> #ssl on
>> sslpath /etc/openldap/
>>
>
> although it is not the base of your problem, omit sslpath
>
>
>> ssl start_tls
>> ldap_version 3
>> pam_filter objectclass=posixAccount
>> nss_base_passwd ou=users,dc=lmv,dc=lmv
>> nss_base_shadow ou=users,dc=lmv,dc=lmv
>> nss_base_group ou=groups,dc=lmv,dc=lmv
>> tls_checkpeer yes
>> #ssl on
>> tls_cacertfile /etc/openldap/cacert.pem
>> tls_cacertdir /etc/openldap/
>>
>
> omit tls_cacertdir
>
>
>> #tls_randfile /var/run/egd-pool
>> #tls_ciphers TLSv1
>> tls_cert /etc/openldap/clientcert_201.pem
>> tls_key /etc/openldap/clientkey_201.pem
>> #sasl_secprops maxssf=0
>> #krb5_ccname FILE:/etc/.ldapcache
>> -------------------/etc/ldap.conf-------------------------------------------
>>
>> And also my /etc/openldap/ldap.conf:
>> -------------------/etc/openldap/ldap.conf-----------------------------
>> TLS_CACERT /etc/openldap/cacert.pem
>> TLS_CERT /etc/openldap/clientcert_201.pem
>> TLS_KEY /etc/openldap/clientkey_201.pem
>> TLS_REQCERT demand
>> host 127.0.0.1
>>
>
> [...]
>
>> TLS: can't accept.
>> connection_read(14): TLS accept failure error=-1 id=33, closing
>>
> [...]
>
>> What is wrong? The certificate is not accepted? Is the certificae not ok?
>>
>
> I presume the certificate DN is not in conformance with the called URI
>
> To test this, just do a ldapsearch with a simple bind and starttls,
> that is ldapsearch -x -D some DN -w passwd -ZZ ldap://my.remote.host
> -b "" -s base +
>
> You may do a strace on this process, that is "strace -o /tmp/myfile.txt
> ldapsearch ...."
> As you use a host certificate, on a successful session ou may see
> something like
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(19): unable to get TLS client DN, error=49 id=8
> But despite a error 49, the session is established.
>
> -Dieter
>
>
Hello,
As I tried to perform "ldapsearch" with TLS enabled I got some output
about "version trouble" of openldap server and client libraries. But now
I solved this problem and I have configured "pam_ldap" again.
The login with "TLSVerifyClient demand" (enabled in slapd.conf) works,
but not with "tls_checkpeer yes" in "/etc/ldap.conf". If
"tls_checkpeer" is "yes", the login is not possible (output:
"Permissions on the password database may be too restrictive").
The "strace -o /tmp/ldapsearch.txt ldapsearch -d 1 -x -ZZ -h
192.168.0.201 "(uid=*)" " is creating command line output:
------------------------------------------------------------------------------------------
ldap_create
ldap_url_parse_ext(ldap://192.168.0.201)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.0.201:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.201:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x613090 msgid 1
wait4msg ld 0x613090 msgid 1 (infinite timeout)
wait4msg continue ld 0x613090 msgid 1 all 1
** ld 0x613090 Connections:
* host: 192.168.0.201 port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Mar 2 22:23:57 2009
** ld 0x613090 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x613090 request count 1 (abandoned 0)
** ld 0x613090 Response Queue:
Empty
ld 0x613090 response count 0
ldap_chkResponseList ld 0x613090 msgid 1 all 1
ldap_chkResponseList returns ld 0x613090 NULL
ldap_int_select
read1msg: ld 0x613090 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x613090 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x613090 0 new referrals
read1msg: mark request completed, ld 0x613090 msgid 1
request done: ld 0x613090 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=DE/ST=Sachsen/L=Hartmannsdorf-Reichenau/O=LMV Landmaschinenvertrieb-
und Service
GmbH/OU=Computer/CN=lmvserver/emailAddress=snr@lmv-hartmannsdorf.de,
issuer: /C=DE/ST=Sachsen/L=Hartmannsdorf-Reichenau/O=LMV
Landmaschinenvertrieb- und Service
GmbH/OU=Computer/CN=lmvserver/emailAddress=snr@lmv-hartmannsdorf.de
TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Sachsen/L=Hartmannsdorf-Reichenau/O=LMV Landmaschinenvertrieb-
und Service
GmbH/OU=Computer/CN=lmvserver/emailAddress=snr@lmv-hartmannsdorf.de,
issuer: /C=DE/ST=Sachsen/L=Hartmannsdorf-Reichenau/O=LMV
Landmaschinenvertrieb- und Service
GmbH/OU=Computer/CN=lmvserver/emailAddress=snr@lmv-hartmannsdorf.de
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure.
ldap_err2string
ldap_start_tls: Connect error (-11)
------------------------------------------------------------------------------------------
For strace output take a look at the attached file, please.
I think that server and client do not comunicate via TLS, or do they?
And why can I login, but not search (with "tls_checkpeer no")?
--
Mit freundlichen GrÃÃen
Sebastian Reinhardt
execve("/usr/bin/ldapsearch", ["ldapsearch", "-d", "1", "-x", "-ZZ", "-h", "192.168.0.201", "(uid=*)"], [/* 62 vars */]) = 0
brk(0) = 0x613000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b8a000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b89000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=154925, ...}) = 0
mmap(NULL, 154925, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3054b63000
close(3) = 0
open("/usr/lib64/libldap-2.4.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\342\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=283000, ...}) = 0
mmap(NULL, 2373360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f305472a000
fadvise64(3, 0, 2373360, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f305476b000, 2097152, PROT_NONE) = 0
mmap(0x7f305496b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x41000) = 0x7f305496b000
close(3) = 0
open("/usr/lib64/liblber-2.4.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\00009\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=65784, ...}) = 0
mmap(NULL, 2159912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f305451a000
fadvise64(3, 0, 2159912, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3054529000, 2093056, PROT_NONE) = 0
mmap(0x7f3054728000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe000) = 0x7f3054728000
close(3) = 0
open("/usr/lib64/libsasl2.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000M\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=111704, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b62000
mmap(NULL, 2205648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f30542ff000
fadvise64(3, 0, 2205648, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3054318000, 2097152, PROT_NONE) = 0
mmap(0x7f3054518000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x7f3054518000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16040, ...}) = 0
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f30540fb000
fadvise64(3, 0, 2109696, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f30540fd000, 2097152, PROT_NONE) = 0
mmap(0x7f30542fd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f30542fd000
close(3) = 0
open("/usr/lib64/libssl.so.0.9.8", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2601\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0555, st_size=321488, ...}) = 0
mmap(NULL, 2413008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3053ead000
fadvise64(3, 0, 2413008, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3053ef4000, 2093056, PROT_NONE) = 0
mmap(0x7f30540f3000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x46000) = 0x7f30540f3000
close(3) = 0
open("/usr/lib64/libcrypto.so.0.9.8", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220n\6\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0555, st_size=1601472, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b61000
mmap(NULL, 3672152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3053b2c000
fadvise64(3, 0, 3672152, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3053c86000, 2097152, PROT_NONE) = 0
mmap(0x7f3053e86000, 143360, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15a000) = 0x7f3053e86000
mmap(0x7f3053ea9000, 14424, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3053ea9000
close(3) = 0
open("/lib64/libcrypt.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\v\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=61240, ...}) = 0
mmap(NULL, 2343552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f30538ef000
fadvise64(3, 0, 2343552, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f30538fc000, 2097152, PROT_NONE) = 0
mmap(0x7f3053afc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f3053afc000
mmap(0x7f3053afe000, 184960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3053afe000
close(3) = 0
open("/lib64/libresolv.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@5\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=78608, ...}) = 0
mmap(NULL, 2181984, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f30536da000
fadvise64(3, 0, 2181984, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f30536eb000, 2097152, PROT_NONE) = 0
mmap(0x7f30538eb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f30538eb000
mmap(0x7f30538ed000, 7008, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f30538ed000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\345\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1495120, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b60000
mmap(NULL, 3506872, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3053381000
fadvise64(3, 0, 3506872, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f30534d0000, 2097152, PROT_NONE) = 0
mmap(0x7f30536d0000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14f000) = 0x7f30536d0000
mmap(0x7f30536d5000, 17080, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f30536d5000
close(3) = 0
open("/lib64/libz.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=89888, ...}) = 0
mmap(NULL, 2183728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f305316b000
fadvise64(3, 0, 2183728, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3053180000, 2093056, PROT_NONE) = 0
mmap(0x7f305337f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7f305337f000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b5f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b5e000
arch_prctl(ARCH_SET_FS, 0x7f3054b5e6f0) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\271\273\323a\3743+0", 8) = 8
close(3) = 0
mprotect(0x7f305337f000, 4096, PROT_READ) = 0
mprotect(0x7f30536d0000, 16384, PROT_READ) = 0
mprotect(0x7f30538eb000, 4096, PROT_READ) = 0
mprotect(0x7f3053afc000, 4096, PROT_READ) = 0
mprotect(0x7f3053e86000, 53248, PROT_READ) = 0
mprotect(0x7f30540f3000, 8192, PROT_READ) = 0
mprotect(0x7f30542fd000, 4096, PROT_READ) = 0
mprotect(0x7f3054518000, 4096, PROT_READ) = 0
mprotect(0x7f3054728000, 4096, PROT_READ) = 0
mprotect(0x7f305496b000, 4096, PROT_READ) = 0
mprotect(0x611000, 4096, PROT_READ) = 0
mprotect(0x7f3054b8b000, 4096, PROT_READ) = 0
munmap(0x7f3054b63000, 154925) = 0
brk(0) = 0x613000
brk(0x634000) = 0x634000
uname({sys="Linux", node="lmvserver", ...}) = 0
getpid() = 5961
open("/etc/resolv.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=61, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(3, "nameserver 192.168.0.200\nnameser"..., 4096) = 61
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f3054b88000, 4096) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ECONNREFUSED (Connection refused)
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ECONNREFUSED (Connection refused)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1252
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f3054b88000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=154925, ...}) = 0
mmap(NULL, 154925, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3054b63000
close(3) = 0
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\37\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=49120, ...}) = 0
mmap(NULL, 2143528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3052f5f000
fadvise64(3, 0, 2143528, POSIX_FADV_WILLNEED) = 0
mprotect(0x7f3052f69000, 2097152, PROT_NONE) = 0
mmap(0x7f3053169000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f3053169000
close(3) = 0
mprotect(0x7f3053169000, 4096, PROT_READ) = 0
munmap(0x7f3054b63000, 154925) = 0
open("/etc/host.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=370, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(3, "#\n# /etc/host.conf - resolver co"..., 4096) = 370
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f3054b88000, 4096) = 0
open("/etc/hosts", O_RDONLY|0x80000 /* O_??? */) = 3
fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fstat(3, {st_mode=S_IFREG|0644, st_size=783, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(3, "#\n# hosts This file desc"..., 4096) = 783
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f3054b88000, 4096) = 0
open("/etc/openldap/ldap.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=417, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(3, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 417
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f3054b88000, 4096) = 0
getuid() = 0
geteuid() = 0
open("/root/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/root/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory)
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
write(2, "ldap_create\n", 12) = 12
write(2, "ldap_url_parse_ext(ldap://192.16";..., 41) = 41
write(2, "ldap_extended_operation_s\n", 26) = 26
write(2, "ldap_extended_operation\n", 24) = 24
write(2, "ldap_send_initial_request\n", 26) = 26
write(2, "ldap_new_connection 1 1 0\n", 26) = 26
write(2, "ldap_int_open_connection\n", 25) = 25
write(2, "ldap_connect_to_host: TCP 192.16"..., 44) = 44
socket(PF_NETLINK, SOCK_RAW, 0) = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=5961, groups=00000000}, [12]) = 0
sendto(3, "\24\0\0\0\26\0\1\3mN\254I\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0mN\254II\27\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 232
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0mN\254II\27\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 192
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0mN\254II\27\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
write(2, "ldap_new_socket: 3\n", 19) = 19
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
write(2, "ldap_prepare_socket: 3\n", 23) = 23
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
write(2, "ldap_connect_to_host: Trying 192"..., 47) = 47
write(2, "ldap_pvt_connect: fd: 3 tm: -1 a"..., 40) = 40
connect(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.0.201")}, 16) = 0
write(2, "ldap_open_defconn: successful\n", 30) = 30
write(2, "ldap_send_server_request\n", 25) = 25
write(2, "ber_scanf fmt ({it) ber:\n", 25) = 25
write(2, "ber_scanf fmt ({) ber:\n", 23) = 23
write(2, "ber_flush2: 31 bytes to sd 3\n", 29) = 29
write(3, "0\35\2\1\1w\30\200\0261.3.6.1.4.1.1466.20037", 31) = 31
write(2, "ldap_result ld 0x613090 msgid 1\n", 32) = 32
write(2, "wait4msg ld 0x613090 msgid 1 (in"..., 48) = 48
write(2, "wait4msg continue ld 0x613090 ms"..., 44) = 44
write(2, "** ld 0x613090 Connections:\n", 28) = 28
write(2, "* host: 192.168.0.201 port: 389"..., 44) = 44
write(2, " refcnt: 2 status: Connected\n", 31) = 31
open("/etc/localtime", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2295, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2295, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"..., 4096) = 2295
lseek(4, -1458, SEEK_CUR) = 837
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 1458
close(4) = 0
munmap(0x7f3054b88000, 4096) = 0
write(2, " last used: Mon Mar 2 22:23:57"..., 39) = 39
write(2, "\n", 1) = 1
write(2, "** ld 0x613090 Outstanding Reque"..., 37) = 37
write(2, " * msgid 1, origid 1, status In"..., 41) = 41
write(2, " outstanding referrals 0, pare"..., 43) = 43
write(2, " ld 0x613090 request count 1 (a"..., 44) = 44
write(2, "** ld 0x613090 Response Queue:\n", 31) = 31
write(2, " Empty\n", 9) = 9
write(2, " ld 0x613090 response count 0\n", 31) = 31
write(2, "ldap_chkResponseList ld 0x613090"..., 47) = 47
write(2, "ldap_chkResponseList returns ld "..., 46) = 46
write(2, "ldap_int_select\n", 16) = 16
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP, revents=POLLIN}], 1, -1) = 1
write(2, "read1msg: ld 0x613090 msgid 1 al"..., 36) = 36
write(2, "ber_get_next\n", 13) = 13
read(3, "0\f\2\1\1x\7\n", 8) = 8
read(3, "\1\0\4\0\4\0", 6) = 6
write(2, "ber_get_next: tag 0x30 len 12 co"..., 40) = 40
write(2, "read1msg: ld 0x613090 msgid 1 me"..., 59) = 59
write(2, "ber_scanf fmt ({eAA) ber:\n", 26) = 26
write(2, "read1msg: ld 0x613090 0 new refe"..., 38) = 38
write(2, "read1msg: mark request complete"..., 55) = 55
write(2, "request done: ld 0x613090 msgid "..., 34) = 34
write(2, "res_errno: 0, res_error: <>, res"..., 45) = 45
write(2, "ldap_free_request (origid 1, msg"..., 38) = 38
write(2, "ldap_free_connection 0 1\n", 25) = 25
write(2, "ldap_free_connection: refcnt 1\n", 31) = 31
write(2, "ldap_parse_extended_result\n", 27) = 27
write(2, "ber_scanf fmt ({eAA) ber:\n", 26) = 26
write(2, "ldap_parse_result\n", 18) = 18
write(2, "ber_scanf fmt ({iAA) ber:\n", 26) = 26
write(2, "ber_scanf fmt (}) ber:\n", 23) = 23
write(2, "ldap_msgfree\n", 13) = 13
open("/etc/openldap/cacert.pem", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2098, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3054b88000
read(4, "-----BEGIN CERTIFICATE-----\nMIIF"..., 4096) = 2098
read(4, "", 4096) = 0
close(4) = 0
munmap(0x7f3054b88000, 4096) = 0
open("/etc/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
brk(0x658000) = 0x658000
write(2, "TLS trace: SSL_connect:before/co"..., 53) = 53
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 4
fstat(4, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 10) = 1
read(4, "\353b\344\5x\352\304\v\211\211F\177\217\207h\317\270\221C\362\0302\354)\354\10^\211\322+s\313", 32) = 32
close(4) = 0
getuid() = 0
write(3, "\200\206\1\3\1\0]\0\0\0 \0\0009\0\0008\0\0005\0\0\210\0\0\207\0\0\204\0\0\26"..., 136) = 136
write(2, "TLS trace: SSL_connect:SSLv2/v3 "..., 53) = 53
read(3, "\26\3\1\0J\2\0", 7) = 7
read(3, "\0F\3\1I\254Nmx\352F?Zx\21\320\320\351\263\324\177\274\v\3\351\340\331B#\346\236\343"..., 72) = 72
write(2, "TLS trace: SSL_connect:SSLv3 rea"..., 49) = 49
read(3, "\26\3\1\5\277", 5) = 5
read(3, "\v\0\5\273\0\5\270\0\5\2650\202\5\2610\202\4\231\240\3\2\1\2\2\1\0100\r\6\t*\206"..., 1471) = 1471
write(2, "TLS certificate verification: de"..., 209) = 209
write(2, " issuer: /C=DE/ST=Sachsen/L=Hart"..., 161) = 161
write(2, "TLS certificate verification: de"..., 209) = 209
write(2, " issuer: /C=DE/ST=Sachsen/L=Hart"..., 161) = 161
write(2, "TLS trace: SSL_connect:SSLv3 rea"..., 55) = 55
read(3, "\26\3\1\0\332", 5) = 5
read(3, "\r\0\0\322\3\1\2@\0\314\0\3120\201\3071\v0\t\6\3U\4\6\23\2DE1\0200\16"..., 218) = 218
write(2, "TLS trace: SSL_connect:SSLv3 rea"..., 63) = 63
write(2, "TLS trace: SSL_connect:SSLv3 rea"..., 48) = 48
write(2, "TLS trace: SSL_connect:SSLv3 wri"..., 56) = 56
write(2, "TLS trace: SSL_connect:SSLv3 wri"..., 57) = 57
write(2, "TLS trace: SSL_connect:SSLv3 wri"..., 56) = 56
write(2, "TLS trace: SSL_connect:SSLv3 wri"..., 46) = 46
write(3, "\26\3\1\0\7\v\0\0\3\0\0\0\26\3\1\1\6\20\0\1\2\1\0\10\212\22\241\257\313\301\224\32"..., 338) = 338
write(2, "TLS trace: SSL_connect:SSLv3 flu"..., 40) = 40
read(3, "\25\3\1\0\2", 5) = 5
read(3, "\2(", 2) = 2
write(2, "TLS trace: SSL3 alert read:fatal"..., 51) = 51
write(2, "TLS trace: SSL_connect:failed in"..., 55) = 55
write(2, "TLS: can\'t connect: error:140944"..., 95) = 95
write(2, "ldap_err2string\n", 16) = 16
write(2, "ldap_start_tls: Connect error (-"..., 36) = 36
exit_group(1) = ?
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 192.168.0.201
# The distinguished name of the search base.
base dc=lmv,dc=lmv
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=lmv,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=lmv,dc=com
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy:
# hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
bind_policy soft
# Connection policy:
# persist: DSA connections are kept open (default)
# oneshot: DSA connections destroyed after request
#nss_connect_policy persist
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Use paged rseults
#nss_paged_results yes
# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=lmv,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password crypt
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# Use backlinks for answering initgroups()
#nss_initgroups backlink
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis
nss_schema nis
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
nss_base_hosts ou=Hosts,dc=lmv,dc=lmv
#nss_base_services ou=Services,dc=lmv,dc=lmv
#nss_base_networks ou=Networks,dc=lmv,dc=lmv
#nss_base_protocols ou=Protocols,dc=lmv,dc=lmv
#nss_base_rpc ou=Rpc,dc=lmv,dc=lmv
#nss_base_ethers ou=Ethers,dc=lmv,dc=lmv
#nss_base_netmasks ou=Networks,dc=lmv,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=lmv,dc=lmv
#nss_base_aliases ou=Aliases,dc=lmv,dc=lmv
#nss_base_netgroup ou=Netgroup,dc=lmv,dc=lmv
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
tls_checkpeer no
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/openldap/cacert.pem
tls_cacertdir /etc/openldap/
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert /etc/openldap/clientcert_205.pem
tls_key /etc/openldap/clientkey_205.pem
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache