[Date Prev][Date Next] [Chronological] [Thread] [Top]

Login takes more time (LDAP)



Hi,
I am using openldap-2.4.26 on one machine, and pam_ldap-186 and nss_ldap-265 on another machine, both machines running Fedora-10.

I am trying for a secure communication using TLS/SSL. when I try to connect to the LDAP client machine using SSH, after authentication success the shell prompt is returned after 3 min or 4 mins. I don't know why it is taking so much time. This is happening for the users which are present only in LDAP database i.e. this user is not created on the client machine.

At the server side I am getting following errors.

TLS: can't accept: (unknown).
connection_read(18): TLS accept failure error=-1 id=1068, closing
connection_closing: readying conn=1068 sd=18 for close
connection_close: conn=1068 sd=18
daemon: removing 18
conn=1068 fd=18 closed (TLS negotiation failure)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL

I have created the CA certificate with CA.sh script. I followed the procedure given below.
http://octaldream.com/~scottm/talks/ssl/opensslca.html

I copied the same cacert.pem file from server to the client machine afte running the above procedure on server machine.

The configuration files are as follows.
slapd.conf

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

LSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile    /etc/pki/CA/cacert.pem
TLSCertificateFile      /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile   /etc/pki/tls/misc/newkey.pem
TLSVerifyClient         allow

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

access to attrs=userPassword
 by self       write
 by anonymous  auth
 by *          none
 
access to *
 by *         read
#######################################################################
# BDB database definitions
#######################################################################
 
database        bdb
suffix          "dc=samsung,dc=com"
rootdn          "cn=Manager,dc=samsung,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          123qwe
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
#unique id so equality match only
index   uid     eq
index   userPassword    eq
#allows general searching on commonname,givenname and mail
index   cn,gn,sn,ou,o,mail eq,sub
index   objectClass     eq



and ldap.conf has the following configuration

base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile  /etc/pki/CA/cacert.pem
pam_password md5
nss_map_attribute gecos description


Please let me know where I am making mistake? how to fix this problem.

Warm Regards
Vijay S.


Follow Rediff Deal ho jaye! to get exciting offers in your city everyday.