[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
pam_ldap: ldap_set_option(LDAP_OPT_X_TLS) Unknown error
Hi,
A recent upgrade of OpenLDAP 2.0.21 from 2.0.11 appears to break
pam_ldap authentication with this error in the system log:
Feb 4 13:41:49 breton sshd[1090]: pam_ldap:
ldap_set_option(LDAP_OPT_X_TLS) Unknown error
This of course breaks pam_ldap authentication and the system
then refuses any user with a posixAccount to log in my Red Hat
box. Strangely, other aspects of NSS and LDAP work fine
including: getent passwd, group, shadow, ldapsearch -H
ldaps://<hostname> and ldapsearch -ZZ.
There is nothing in the ldap log that indicates any problem for
any of these operations. Only pam_ldap fails with the above
error, without any other indication in the system or ldap log
files.
I couldn't find any relevant articles about this in the mail
list archives or faq.
I use nss_ldap-149-4 with SSL (not TLS), with the following
/etc/ldap.conf
host breton.catfish.net.au:636
base dc=catfish,dc=net,dc=au
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute uniquemember
pam_password md5
nss_base_passwd ou=People,dc=catfish,dc=net,dc=au?one
nss_base_shadow ou=People,dc=catfish,dc=net,dc=au?one
nss_base_group ou=Group,dc=catfish,dc=net,dc=au?one
ssl yes
sslpath /usr/share/ssl/certs
Note all this works fine with openldap-2.0.11, it only breaks
with 2.0.21. My /etc/openldap/slapd.conf remains the unchanged
after the upgrade.
Disabling SSL enables the authentication to work, as does
enabling the 'start_tls' option.
Has anyone seen this broken behaviour? I am happy to use
start_tls but am just curious to see what causes this with
openldap-2.0.21?
Thanks for any pointers,
David.