[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS only working as root when used together with pam/nss_ldap (ITS#3109)

Full_Name: Harald Klein
Version: 2.1.22
OS: SuSE 9p
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

On Wed, Apr 21, 2004 at 08:53:15AM +0000, Harald Klein wrote:
> I have 2 ldap servers, A and B.
> Whenever i configure pam/nss to use host B in host A's /etc/ldap.conf, the
> slapd daemon on A won't accept TLS when _NOT_ running as root.
> When i point to A from A, it works.
> When i move /etc/ldap.conf away, it works.
> When i run as root, it works.
> Any ideas?

I've discovered the same bug some days ago. The reason is the
simultaneous use of libldap as client (by libnss_ldap) and as server
(by slapd itself) while using global TLS contexts.

When slapd is started as non-root user, it first initializes the TLS
stuff. Some steps later it does an initgroups() for the selected user.
This initgroups() call triggers libnss_ldap, which initializes TLS again
(usually not using a certificate!) and instantiating the global TLS
context while connecting to host B using TLS.

Later, when accepting an incoming TLS connection using the same global
TLS context (now without a server certificate configured in!), slapd has
no non-anonymous ciphers available ...

When starting slapd as root, no initgroups is done and consequently no
ldap client connection pollutes the TLS context.

The solution would be to use per-connection TLS contexts (or at least to
allow to do so ...).

(BTW, I've tested version 2.1.29 and haven't checked if this bug has
been fixed in HEAD or so.)