[Date Prev][Date Next] [Chronological] [Thread] [Top]

client can StartTLS from ldapsearch but not getent/pam_ldap



I have a known-good server-side config for doing StartTLS on my LDAP server - it's only listening on the ldap port and I can watch by looking at tcpdump output that after the server and client negotiate the StartTLS, it all goes to gibberish. 
 
Now, on the client, the following command:
 
# ldapsearch -x -b 'dc=cis,dc=uab,dc=edu' -D "cn=manager,dc=cis,dc=uab,dc=edu" '(objectclass=*)' -H ldap://ldap.cis.uab.edu -W -ZZ
 
works great and I get back all the data in the directory as expected, so it would appear that the client is capable of StartTLS.
 
However, on the same client, if I try:
 
#  getent passwd
 
I don't see any of the accounts from the LDAP database.  The errors I am seeing on the server look like:
 
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1721, written=1721
  0000:  16 03 01 00 4a 02 00 00  46 03 01 40 14 b0 7a d8   ....J...F..@..z
  0010:  64 22 54 5f 96 43 c1 4c  20 e1 59 c1 ae b3 95 f3   d"T_.C.L .Y..... 
  0020:  6f 59 0b fb 36 7b 42 67  27 00 f2 20 40 2b ae c6   oY..6{Bg'.. @+..  
[snip]
 
  0660:  ac 2f 44 18 ca eb 9f 2b  c7 c0 17 0a 04 64 e1 66   ./D....+.....d.f 
  0670:  32 55 23 1a 91 77 69 b0  9d 36 67 cf 3c 19 54 f1   2U#..wi..6g.<.T. 
  0680:  25 15 88 7c a6 f9 67 df  36 0f 0a cb 51 ac 29 10   %..|..g.6...Q.). 
  0690:  92 87 9f 29 4c 01 a2 96  d1 ea 01 e8 23 ae e8 b8   ...)L.......#... 
  06a0:  41 34 96 4a b2 85 85 dd  5d be cb 53 7b 4d 60 12   A4.J....]..S{M`. 
  06b0:  16 03 01 00 04 0e 00 00  00                        .........        
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
tls_read: want=5, got=5
  0000:  16 03 01 00 86                                     .....            
tls_read: want=134, got=134
  0000:  10 00 00 82 00 80 b7 66  22 6e b8 dd 21 a6 75 95   .......f"n..!.u. 
  0010:  14 ee c9 d3 ee 0d cb 00  74 d6 0d 06 63 0a 21 e4   ..
 
Now, if I comment out everything TLS-related from slapd.conf and ldap.conf on the server and client, I see the accounts just fine, so the pam_filter and such is all working just fine.  But I can't get the client to negotiate a TLS connection when using getent, whereas it negotiates one fine when I run ldapsearch.  Thoughts of things to look at?  nsswitch is set "passwd files ldap" and as mentioned works fine when I comment out TLS-related settings in ldap.conf and slapd.conf.
 
My client ldap.conf contains (relevant to TLS):
 
ssl start_tls
TLS_CACERT /tmp/demoCA/cacert.pem
TLS_REQCERT demand
 
My server slapd.conf contains:
 
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/myCA/demoCA/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem
TLSCertificateKey /usr/local/var/openldap-data/serverkey.pem
# will want to do this eventually but first things first
TLSVerifyClient never
 
Any ideas much appreciated.
 
Thanks,
Fran