[Date Prev][Date Next] [Chronological] [Thread] [Top]

nss_ldap / SSL problem



I'm using OpenLDAP to do authentication on a number of Linux and Solaris machines.  I've set everything up to work without SSL, and I'm having trouble getting SSL properly working.  It seems that nss requests to the LDAP server are not properly completed.

Here is the client ldap.conf, minus comments etc.:

uri ldaps://our_ldap_server/
base dc=our,dc=domain
ldap_version 3
rootbinddn cn=Manager,dc=our,dc=domain
ssl yes
sslpath /root/.netscape/cert7.db

Everything works fine if "ldaps" is changed to "ldap" and the last two lines are commented out.  Also, ldapsearch -H 'ldaps://our_ldap_server/' -x works fine with SSL.  We're using openldap-2.0.11, pam_ldap v. 119, and nss_ldap v. 160.  Both of the latter were configured with --enable-ssl and --with-ldap-lib=openldap.

If I run slapd with -d 1, the following is the output generated by doing 'id foo' on a client machine (foo is a user in the LDAP database):

connection_get(8): got connid=0
connection_read(8): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 8 failed errno=0 (Success)
connection_read(8): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=8 for close
connection_close: conn=0 sd=8
TLS trace: SSL3 alert write:warning:close notify

It seems that nss_ldap gets through the initial SSL handshaking OK, then closes the socket.  I am at a loss to figure out why; any suggestions would be greatly appreciated.