Re: fedora and openldap

[Judith Flo Gaya <jflo@imppc.org>]

Hi Harry,

On 04/13/2011 09:06 AM, harry.jede@arcor.de wrote:
> Judith Flo Gaya wrote:
> > On 4/12/11 9:44 PM, Quanah Gibson-Mount wrote:
> > > --On Tuesday, April 12, 2011 9:50 PM +0200 Judith Flo
> > > Gaya<jflo@imppc.org>
> > >
> > > wrote:
> > > > I'm using the default version of openldap for the clients :
> > > > openldap-2.4.22-7.fc14.x86_64
> > > > openldap-devel-2.4.22-7.fc14.x86_64
> > > > openldap-clients-2.4.22-7.fc14.x86_64
> What means this?
>
> Are you using these packages on Client-PCs?
a priori I was doing it, now I compiled from source the same version of 
openldap, so now both server and clients have the same openldap
> Do you also use these packages on your openldap server?
The versions on the server side were old and I was suggested to update 
to a newer version, so I compiled it.
> > > > I don't exactly know how to check the way they are compiled..
> > >
> > > Use "ldd" on the binary.  If they are compiled against MozNSS,
> > > you'll probably have better success using your own built binaries
> > > against OpenSSL.
> And don't forget: you should never never mix (openldap) packages from
> two different builds on one machine. Such a setup can work well, but it
> is for power users :-) .
Yes, my idea was to get rid of the rpm packages after installing the 
source one, but I can get rid of the openldap-$version because it has 
plenty of dependencies, so I linked to /usr/local so that libraries and 
binaries can be found by the system before the rpm ones.
One of the packages that uses these libraries is nss_pam_ldapd, maybe 
that's why now the ldapsearch is working but the authentication is not

I can't do id <user>, it complains about a TLS negotiation problem :
Apr 13 09:55:25 curri0 slapd[2025]: conn=1063 fd=39 ACCEPT from 
IP=<client_ip>:44725 (IP=0.0.0.0:636)
Apr 13 09:55:25 curri0 slapd[2025]: conn=1063 fd=39 closed (TLS 
negotiation failure)
Apr 13 09:55:25 curri0 slapd[2025]: connection_read(39): no connection!
Apr 13 09:55:25 curri0 slapd[2025]: connection_read(39): no connection!


> I  have no  experience with fedora, so I can not really help you. But in
> general, you may do it like this:
>
> 1. Check the packages meta information to find from which source package
> they are build.
> 2. Download these source packages
> 3. Downlod the developer packages which are needed to build your package
> 4. Download the openssl developer package
> 5. Change the config from moznss to openssl
> 6. Build the new packages
> 7. Test them on one or two machines
> 8. Distribute them to all your Fedora machines
The devel packages and the openssl were already installed and the make 
depend worked without problem, so I only download, configure 
(with-tls=openssl) and installed this newer version, but still it 
doesn't work ;(
I'll try to link the ldap libraries under /usr/lib64 to the new ones and 
see if I can fool the system to use mines.

I'm told that I can also manage to make the openldap rpm version that 
uses the moznss library to accept a .pem file, I thought that in this 
way it would be much easier, but now I'm no longer sure...

Thanks for your help!
j
> > This is the result
> > # ldd /usr/bin/ldapsearch
> >       linux-vdso.so.1 =>   (0x00007fff71dff000)
> >       libldap-2.4.so.2 =>  /usr/lib64/libldap-2.4.so.2
> > (0x000000303a400000) liblber-2.4.so.2 =>  /usr/lib64/liblber-2.4.so.2
> > (0x000000303ac00000) libsasl2.so.2 =>  /usr/lib64/libsasl2.so.2
> > (0x0000003038000000) libcrypt.so.1 =>  /lib64/libcrypt.so.1
> > (0x0000003033a00000) libresolv.so.2 =>  /lib64/libresolv.so.2
>
> > (0x0000003023a00000) libssl3.so =>  /usr/lib64/libssl3.so
> May be this is a mozilla ssl library.
>
> an openssl library looks so:
> 	libssl.so.0.9.8 =>  /usr/lib/libssl.so.0.9.8 (0x00007f48c1dc4000)
>
> this is a gnutls library:
> 	libgnutls.so.26 =>  /usr/lib/libgnutls.so.26 (0x00007f6a525ce000)
>
> > (0x0000003036a00000) libsmime3.so =>  /usr/lib64/libsmime3.so
> > (0x0000003036e00000) libnss3.so =>  /usr/lib64/libnss3.so
> > (0x0000003035200000) libnssutil3.so =>  /usr/lib64/libnssutil3.so
> > (0x0000003036200000) libplds4.so =>  /lib64/libplds4.so
> > (0x0000003035a00000)
> >       libplc4.so =>  /lib64/libplc4.so (0x0000003034e00000)
> >       libnspr4.so =>  /lib64/libnspr4.so (0x0000003035e00000)
> >       libc.so.6 =>  /lib64/libc.so.6 (0x0000003021a00000)
> >       libdl.so.2 =>  /lib64/libdl.so.2 (0x0000003022200000)
> >       libfreebl3.so =>  /lib64/libfreebl3.so (0x0000003033e00000)
> >       libpthread.so.0 =>  /lib64/libpthread.so.0 (0x0000003022600000)
> >       libz.so.1 =>  /lib64/libz.so.1 (0x0000003023200000)
> >       /lib64/ld-linux-x86-64.so.2 (0x0000003021200000)
> >
> > As I see libssl3.so... I would say that openssl is used...
> > # rpm -qf /usr/lib64/libnss3.so
> > nss-3.12.7-6.fc14.x86_64
> > # rpm -qf /usr/lib64/libnssutil3.so
> > nss-util-3.12.7-2.fc14.x86_64
> >
> > j
> >
> > > --Quanah
> > >
> > >
> > > --
> > >
> > > Quanah Gibson-Mount
> > > Sr. Member of Technical Staff
> > > Zimbra, Inc
> > > A Division of VMware, Inc.
> > > --------------------
> > > Zimbra ::  the leader in open source messaging and collaboration

--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo@imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472

Institut de Medicina Predictiva i Personalitzada del Càncer
Crta Can Ruti, Camí de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org