Full_Name: Harald Klein Version: 2.1.22 OS: SuSE 9p URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.17.243.2) On Wed, Apr 21, 2004 at 08:53:15AM +0000, Harald Klein wrote: > I have 2 ldap servers, A and B. > Whenever i configure pam/nss to use host B in host A's /etc/ldap.conf, the > slapd daemon on A won't accept TLS when _NOT_ running as root. > > When i point to A from A, it works. > When i move /etc/ldap.conf away, it works. > When i run as root, it works. > > Any ideas? I've discovered the same bug some days ago. The reason is the simultaneous use of libldap as client (by libnss_ldap) and as server (by slapd itself) while using global TLS contexts. When slapd is started as non-root user, it first initializes the TLS stuff. Some steps later it does an initgroups() for the selected user. This initgroups() call triggers libnss_ldap, which initializes TLS again (usually not using a certificate!) and instantiating the global TLS context while connecting to host B using TLS. Later, when accepting an incoming TLS connection using the same global TLS context (now without a server certificate configured in!), slapd has no non-anonymous ciphers available ... When starting slapd as root, no initgroups is done and consequently no ldap client connection pollutes the TLS context. The solution would be to use per-connection TLS contexts (or at least to allow to do so ...). (BTW, I've tested version 2.1.29 and haven't checked if this bug has been fixed in HEAD or so.) Enrik
changed notes moved from Incoming to Software Bugs
changed notes changed state Open to Test
A fix for this has been committed to HEAD and OPENLDAP_REL_ENG_2_2 cvs branchs. Please test.
changed notes changed state Test to Release
changed notes
Dear Mr. Zeilenga, i will start my tests now. i have another question: whats the chance to get a backport to 2.1.x? regards, Harald Klein Mit freundlichen Grüßen / Best regards Harald Klein - Systems Engineer Computacenter GmbH Tel.: +43-316-2547-15 Fax.: +43-316-2547-44 Homepage: http://www.computacenter.at MailTo:Harald.Klein@computacenter.com Dieses email enthält vertrauliche Informationen. Falls Sie nicht der beabsichtigte Empfänger sind, dürfen Sie den Inhalt dieses emails weder offenlegen noch verwenden. Sofern Sie dieses email irrtümlich erhalten haben, ersuchen wir Sie, dieses an uns umgehend zurückzusenden und anschließend zu löschen. This email is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this mail in error, please tell us immediately by return email and delete the document. -----Ursprüngliche Nachricht----- Von: Kurt Zeilenga [mailto:openldap-its@OpenLDAP.org] Gesendet: Freitag, 30. April 2004 02:38 An: Klein Harald Betreff: Re: TLS only working as root when used together with pam/nss_ldap (ITS#3109) A fix for this has been committed to HEAD and OPENLDAP_REL_ENG_2_2 cvs branchs. Please test.
changed notes changed state Release to Closed
moved from Software Bugs to Archive.Software Bugs
see -devel discussions fixed in HEAD/re22