[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS only working as root when used together with pam/nss_ldap (ITS#3109)



Full_Name: Harald Klein
Version: 2.1.22
OS: SuSE 9p
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.17.243.2)


On Wed, Apr 21, 2004 at 08:53:15AM +0000, Harald Klein wrote:
> I have 2 ldap servers, A and B.
> Whenever i configure pam/nss to use host B in host A's /etc/ldap.conf, the
> slapd daemon on A won't accept TLS when _NOT_ running as root.
>
> When i point to A from A, it works.
> When i move /etc/ldap.conf away, it works.
> When i run as root, it works.
>
> Any ideas?

I've discovered the same bug some days ago. The reason is the
simultaneous use of libldap as client (by libnss_ldap) and as server
(by slapd itself) while using global TLS contexts.

When slapd is started as non-root user, it first initializes the TLS
stuff. Some steps later it does an initgroups() for the selected user.
This initgroups() call triggers libnss_ldap, which initializes TLS again
(usually not using a certificate!) and instantiating the global TLS
context while connecting to host B using TLS.

Later, when accepting an incoming TLS connection using the same global
TLS context (now without a server certificate configured in!), slapd has
no non-anonymous ciphers available ...

When starting slapd as root, no initgroups is done and consequently no
ldap client connection pollutes the TLS context.

The solution would be to use per-connection TLS contexts (or at least to
allow to do so ...).

(BTW, I've tested version 2.1.29 and haven't checked if this bug has
been fixed in HEAD or so.)

Enrik