Hello, all. I have installed OpenLDAP 2.1.22, pam_ldap 161, and nss_ldap
211 on a Gentoo GNU/Linux system. I have enabled debugging on all of those
packages. I have configured the directory and pam/nss modules, and
imported my base and groups ldif file, and rebooted the system just to
make sure everything is seen correctly. WARNING: Lots of configuration
file excerpts included from long experience with help forums, hope
everyone doesn't mind. Thanks in advance for this.
But, when I run 'getent group' to test my LDAP directory, I see only the
groups from '/etc/group' immediately followed by the below debug output
where the groups from the LDAP directory should be:
--------------------
nss_ldap: ==> _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_getent
nss_ldap: ==> _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_open
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> ldap_initialize
nss_ldap: <== ldap_initialize
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== do_open
nss_ldap: <== _nss_ldap_search
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getent
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
--------------------
When I log in by root over SSH (I have not set up any posixAccount logins
in LDAP yet, just been testing with groups)(also, root is not in the LDAP
directory, it's still a '/etc/passwd' account, as I intend to keep it), I
get the following debug in the terminal (I am able to log in, it just
gives this debug before giving the prompt):
---------------------
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> do_open
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> ldap_initialize
nss_ldap: <== ldap_initialize
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== do_open
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
--------------------
When I try to do an 'ldapsearch -d -1 -b dc=theoretic,dc=com' command from
the SSH root login, I get the following debug (this is just the last
screen, there isa lott more before this, but I think this contains the
relevant part):
--------------------
0000: 0b 00 03 53 00 03 50 00 03 4d 30 82 03 49 30 82
...S..P..M0..I0. 0010: 02 b2 a0 03 02 01 02 02 01 00 30 0d 06 09 2a
86 ..........0...*. 0020: 48 86 f7 0d 01 01 04 05 00 30 7c 31 0b 30
09 06 H........0|1.0.. 0030: 03 55 04 06 13 02 55 53 31 10 30 0e 06
03 55 04 .U....US1.0...U. 0040: 08 13 07 46 6c 6f 72 69 64 61 31 1c
30 1a 06 03 ...Florida1.0... 0050: 55 04 0a 13 13 54 68 65 6f 72 65
74 69 63 20 53 U....Theoretic S 0060: 6f 6c 75 74 69 6f 6e 73 31 1a
30 18 06 03 55 04 olutions1.0...U. 0070: 03 13 11 6e 65 77 2e 74 68
65 6f 72 65 74 69 63 ...new.theoretic 0080: 2e 63 6f 6d 31 21 30 1f
06 09 2a 86 48 86 f7 0d .com1!0...*.H... 0090: 01 09 01 16 12 72 6f
6f 74 40 74 68 65 6f 72 65 .....root@theore 00a0: 74 69 63 2e 63 6f
6d 30 1e 17 0d 30 33 30 39 30 tic.com0...03090 00b0: 35 30 32 32 38
32 32 5a 17 0d 31 33 30 39 30 32 5022822Z..130902 00c0: 30 32 32 38
32 32 5a 30 7c 31 0b 30 09 06 03 55 022822Z0|1.0...U 00d0: 04 06 13
02 55 53 31 10 30 0e 06 03 55 04 08 13 ....US1.0...U... 00e0: 07 46
6c 6f 72 69 64 61 31 1c 30 1a 06 03 55 04 .Florida1.0...U. 00f0: 0a
13 13 54 68 65 6f 72 65 74 69 63 20 53 6f 6c ...Theoretic Sol 0100:
75 74 69 6f 6e 73 31 1a 30 18 06 03 55 04 03 13 utions1.0...U...
0110: 11 6e 65 77 2e 74 68 65 6f 72 65 74 69 63 2e 63 .new.theoretic.c
0120: 6f 6d 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09
om1!0...*.H..... 0130: 01 16 12 72 6f 6f 74 40 74 68 65 6f 72 65 74
69 ...root@theoreti 0140: 63 2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86
48 86 c.com0..0...*.H. 0150: f7 0d 01 01 01 05 00 03 81 8d 00 30 81
89 02 81 ...........0.... 0160: 81 00 d5 48 0d cc 40 98 30 d2 f4 d6
03 a0 72 71 ...H..@.0.....rq 0170: 1c 52 38 85 b1 4f f5 00 3c a6 16
c5 5a 86 0c b8 .R8..O..<...Z... 0180: 87 cc 4d 90 6c 53 8c bc 06 a2
05 bc 30 d1 0c 90 ..M.lS......0... 0190: 89 7d 8e c6 6d 7e 48 f5 03
35 81 8f 6a cd d5 32 .}..m~H..5..j..2 01a0: 46 95 69 4f 59 4c 20 0b
e1 cf 4f d9 dc 11 37 38 F.iOYL ...O...78 01b0: 97 ce 42 9b 26 3b 66
da 3f 7b c6 ef 01 e6 01 76 ..B.&;f.?{.....v 01c0: 25 bc 3b c4 06 2a
98 44 f5 b3 11 dd e3 f1 33 e5 %.;..*.D......3. 01d0: 10 e5 76 3e ce
03 1c 14 88 17 a8 00 f1 ea 17 45 ..v>...........E 01e0: ef 5f 02 03
01 00 01 a3 81 da 30 81 d7 30 1d 06 ._........0..0.. 01f0: 03 55 1d
0e 04 16 04 14 46 4f 74 83 4f 6a cc 86 .U......FOt.Oj.. 0200: 34 e9
88 e0 41 60 0b 30 f4 55 22 fc 30 81 a7 06 4...A`.0.U".0... 0210: 03
55 1d 23 04 81 9f 30 81 9c 80 14 46 4f 74 83 .U.#...0....FOt. 0220:
4f 6a cc 86 34 e9 88 e0 41 60 0b 30 f4 55 22 fc Oj..4...A`.0.U".
0230: a1 81 80 a4 7e 30 7c 31 0b 30 09 06 03 55 04 06 ....~0|1.0...U..
0240: 13 02 55 53 31 10 30 0e 06 03 55 04 08 13 07 46
..US1.0...U....F 0250: 6c 6f 72 69 64 61 31 1c 30 1a 06 03 55 04 0a
13 lorida1.0...U... 0260: 13 54 68 65 6f 72 65 74 69 63 20 53 6f 6c
75 74 .Theoretic Solut 0270: 69 6f 6e 73 31 1a 30 18 06 03 55 04 03
13 11 6e ions1.0...U....n 0280: 65 77 2e 74 68 65 6f 72 65 74 69 63
2e 63 6f 6d ew.theoretic.com 0290: 31 21 30 1f 06 09 2a 86 48 86 f7
0d 01 09 01 16 1!0...*.H....... 02a0: 12 72 6f 6f 74 40 74 68 65 6f
72 65 74 69 63 2e .root@theoretic. 02b0: 63 6f 6d 82 01 00 30 0c 06
03 55 1d 13 04 05 30 com...0...U....0 02c0: 03 01 01 ff 30 0d 06 09
2a 86 48 86 f7 0d 01 01 ....0...*.H..... 02d0: 04 05 00 03 81 81 00
39 75 00 9e 79 83 01 fd ac .......9u..y.... 02e0: 7a 48 fb f2 39 c0
e8 7b b1 5e 37 05 98 2a 2f fb zH..9..{.^7..*/. 02f0: 2f 09 6c 03 d0
2a 88 bd 50 04 01 3f 39 21 fe 7f /.l..*..P..?9!.. 0300: 6f 59 a5 fb
fa 05 59 b0 68 0a a7 ff 5b bf 5e 26 oY....Y.h...[.^& 0310: 2a ce 36
14 8a 38 24 b9 17 57 ed 2d 20 db 08 1e *.6..8$..W.- ... 0320: f3 b7
20 f0 9b 98 22 b7 1f cc a4 4c 70 42 6c 89 .. ..."....LpBl. 0330: 9c
62 24 19 07 15 55 18 5a 91 e4 2d ea 4f 81 97 .b$...U.Z..-.O.. 0340:
62 cd 6e 12 bf 28 09 ba 78 a0 ec 47 e0 ea b3 9c b.n..(..x..G....
0350: 4c d4 eb 32 b3 3a 9c L..2.:. TLS
certificate verification: depth: 0, err: 18, subject:
/C=US/ST=Florida/O=Theoretic
Solutions/CN=new.theoretic.com/Email=root@theoretic.com, issuer:
/C=US/ST=Florida/O=Theoretic
Solutions/CN=new.theoretic.com/Email=root@theoretic.com
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--------------------
It seems to my untrained eye that the OpenLDAP client is rejecting the SSL
certificate because it is self-signed. I have read up on this, and changed
some parameters, but it still seems to be acting this way. Here are my
configuration files:
/etc/openldap/slapd.conf:
--------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCertificateFile /site/theoretic/ssl/key.pem
TLSCertificateKeyFile /site/theoretic/ssl/key.pem
TLSCACertificateFile /site/theoretic/ssl/key.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW
TLSVerifyClient never
database ldbm
suffix "dc=theoretic,dc=com"
rootdn **********
rootpw **********
directory /site/theoretic/ldap
index objectClass,uid,uidNumber,gidNumber eq
index cn,surname,givenname eq,subinitial
# The access-control for this directory.
# Set control on the userPassword attribute.
access to dn=".*,ou=Persons,dc=theoretic,dc=com"
attrs=userPassword
by self write
by * auth
by dn="cn=root,dc=theoretic,dc=com" write
# Simple control granting read access to the world
access to *
by * read
--------------------
/etc/openldap/ldap.conf:
--------------------
BASE dc=theoretic,dc=com
URI ldaps://new.theoretic.com:636/
--------------------
/etc/ldap.conf:
--------------------
# host new.theoretic.com
base dc=theoretic,dc=com
uri ldaps:/// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
ldap_version 3
port 636
scope one
timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password clear
nss_base_passwd ou=Persons,dc=theoretic,dc=com?one
nss_base_shadow ou=Persons,dc=theoretic,dc=com?one
nss_base_group ou=Groups,dc=theoretic,dc=com?one
ssl start_tls
ssl on
TLS_REQCERT never
--------------------
/etc/nsswitch.conf:
--------------------
passwd: files ldap
shadow: files ldap
group: files ldap
--------------------
/etc/pam.d/system-auth:
--------------------
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password required /lib/security/pam_deny.so
session optional /lib/security/pam_ldap.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
--------------------
/etc/conf.d/slapd:
--------------------
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
--------------------
I'm hoping this level of detail can help someone help me, I'becomingng
very perplexed and frustrated by trying to solve this on my own.