[Date Prev][Date Next]
Re: TLS only working as root when used together with pam/nss_ldap
On Wed, Apr 21, 2004 at 08:53:15AM +0000, Harald Klein wrote:
> I have 2 ldap servers, A and B.
> Whenever i configure pam/nss to use host B in host A's /etc/ldap.conf, the
> slapd daemon on A won't accept TLS when _NOT_ running as root.
> When i point to A from A, it works.
> When i move /etc/ldap.conf away, it works.
> When i run as root, it works.
> Any ideas?
I've discovered the same bug some days ago. The reason is the
simultaneous use of libldap as client (by libnss_ldap) and as server
(by slapd itself) while using global TLS contexts.
When slapd is started as non-root user, it first initializes the TLS
stuff. Some steps later it does an initgroups() for the selected user.
This initgroups() call triggers libnss_ldap, which initializes TLS again
(usually not using a certificate!) and instantiating the global TLS
context while connecting to host B using TLS.
Later, when accepting an incoming TLS connection using the same global
TLS context (now without a server certificate configured in!), slapd has
no non-anonymous ciphers available ...
When starting slapd as root, no initgroups is done and consequently no
ldap client connection pollutes the TLS context.
The solution would be to use per-connection TLS contexts (or at least to
allow to do so ...).
(BTW, I've tested version 2.1.29 and haven't checked if this bug has
been fixed in HEAD or so.)