I have a known-good server-side config for doing
StartTLS on my LDAP server - it's only listening on the ldap port and I can
watch by looking at tcpdump output that after the server and client negotiate
the StartTLS, it all goes to gibberish.
Now, on the client, the following
command:
# ldapsearch -x -b 'dc=cis,dc=uab,dc=edu' -D
"cn=manager,dc=cis,dc=uab,dc=edu" '(objectclass=*)' -H ldap://ldap.cis.uab.edu -W -ZZ
works great and I get back all the data in the
directory as expected, so it would appear that the client is capable of
StartTLS.
However, on the same client, if I try:
# getent passwd
I don't see any of the accounts from the LDAP
database. The errors I am seeing on the server look like:
TLS trace: SSL_accept:SSLv3 read client hello
A
TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=1721, written=1721 0000: 16 03 01 00 4a 02 00 00 46 03 01 40 14 b0 7a d8 ....J...F..@..z. 0010: 64 22 54 5f 96 43 c1 4c 20 e1 59 c1 ae b3 95 f3 d"T_.C.L .Y..... 0020: 6f 59 0b fb 36 7b 42 67 27 00 f2 20 40 2b ae c6 oY..6{Bg'.. @+.. [snip]
0660: ac 2f 44 18 ca eb 9f 2b c7
c0 17 0a 04 64 e1 66 ./D....+.....d.f
0670: 32 55 23 1a 91 77 69 b0 9d 36 67 cf 3c 19 54 f1 2U#..wi..6g.<.T. 0680: 25 15 88 7c a6 f9 67 df 36 0f 0a cb 51 ac 29 10 %..|..g.6...Q.). 0690: 92 87 9f 29 4c 01 a2 96 d1 ea 01 e8 23 ae e8 b8 ...)L.......#... 06a0: 41 34 96 4a b2 85 85 dd 5d be cb 53 7b 4d 60 12 A4.J....]..S{M`. 06b0: 16 03 01 00 04 0e 00 00 00 ......... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 9r daemon: read activity on 9 connection_get(9) connection_get(9): got connid=0 connection_read(9): checking for input on id=0 tls_read: want=5, got=5 0000: 16 03 01 00 86 ..... tls_read: want=134, got=134 0000: 10 00 00 82 00 80 b7 66 22 6e b8 dd 21 a6 75 95 .......f"n..!.u. 0010: 14 ee c9 d3 ee 0d cb 00 74 d6 0d 06 63 0a 21 e4 .. Now, if I comment out everything TLS-related from
slapd.conf and ldap.conf on the server and client, I see the accounts just fine,
so the pam_filter and such is all working just fine. But I can't get the
client to negotiate a TLS connection when using getent, whereas it negotiates
one fine when I run ldapsearch. Thoughts of things to look at?
nsswitch is set "passwd files ldap" and as mentioned works fine when I comment
out TLS-related settings in ldap.conf and slapd.conf.
My client ldap.conf contains (relevant to
TLS):
ssl start_tls
TLS_CACERT /tmp/demoCA/cacert.pem
TLS_REQCERT demand
My server slapd.conf contains:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile
/usr/local/var/myCA/demoCA/cacert.pem
TLSCertificateFile
/usr/local/var/openldap-data/servercrt.pem
TLSCertificateKey
/usr/local/var/openldap-data/serverkey.pem
# will want to do this eventually but first things
first
TLSVerifyClient never
Any ideas much appreciated.
Thanks,
Fran |