[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: client can StartTLS from ldapsearch but not getent/pam_ldap



Then your problem must not be in OpenLDAP Software itself,
but in getent (nss_ldap) and pam_ldap.  You should take those
problems to the nssldap@padl.com and pamldap@padl.com mailing
list.

Kurt

At 09:16 PM 1/25/2004, Fran Fabrizio wrote:
>I have a known-good server-side config for doing StartTLS on my LDAP server - it's only listening on the ldap port and I can watch by looking at tcpdump output that after the server and client negotiate the StartTLS, it all goes to gibberish.  
> 
>Now, on the client, the following command:
> 
># ldapsearch -x -b 'dc=cis,dc=uab,dc=edu' -D "cn=manager,dc=cis,dc=uab,dc=edu" '(objectclass=*)' -H <ldap://ldap.cis.uab.edu>ldap://ldap.cis.uab.edu -W -ZZ
> 
>works great and I get back all the data in the directory as expected, so it would appear that the client is capable of StartTLS.
> 
>However, on the same client, if I try:
> 
>#  getent passwd
> 
>I don't see any of the accounts from the LDAP database.  The errors I am seeing on the server look like:
> 
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>tls_write: want=1721, written=1721
>  0000:  16 03 01 00 4a 02 00 00  46 03 01 40 14 b0 7a d8   <mailto:....J...F..@..z>....J...F..@..z.  
>  0010:  64 22 54 5f 96 43 c1 4c  20 e1 59 c1 ae b3 95 f3   d"T_.C.L .Y.....  
>  0020:  6f 59 0b fb 36 7b 42 67  27 00 f2 20 40 2b ae c6   oY..6{Bg'.. @+..  
>[snip]
> 
>  0660:  ac 2f 44 18 ca eb 9f 2b  c7 c0 17 0a 04 64 e1 66   ./D....+.....d.f  
>  0670:  32 55 23 1a 91 77 69 b0  9d 36 67 cf 3c 19 54 f1   2U#..wi..6g.<.T.  
>  0680:  25 15 88 7c a6 f9 67 df  36 0f 0a cb 51 ac 29 10   %..|..g.6...Q.).  
>  0690:  92 87 9f 29 4c 01 a2 96  d1 ea 01 e8 23 ae e8 b8   ...)L.......#...  
>  06a0:  41 34 96 4a b2 85 85 dd  5d be cb 53 7b 4d 60 12   A4.J....]..S{M`.  
>  06b0:  16 03 01 00 04 0e 00 00  00                        .........         
>TLS trace: SSL_accept:SSLv3 flush data
>tls_read: want=5 error=Resource temporarily unavailable
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>daemon: select: listen=6 active_threads=0 tvp=NULL
>daemon: activity on 1 descriptors
>daemon: activity on: 9r
>daemon: read activity on 9
>connection_get(9)
>connection_get(9): got connid=0
>connection_read(9): checking for input on id=0
>tls_read: want=5, got=5
>  0000:  16 03 01 00 86                                     .....             
>tls_read: want=134, got=134
>  0000:  10 00 00 82 00 80 b7 66  22 6e b8 dd 21 a6 75 95   .......f"n..!.u.  
>  0010:  14 ee c9 d3 ee 0d cb 00  74 d6 0d 06 63 0a 21 e4   ..
> 
>Now, if I comment out everything TLS-related from slapd.conf and ldap.conf on the server and client, I see the accounts just fine, so the pam_filter and such is all working just fine.  But I can't get the client to negotiate a TLS connection when using getent, whereas it negotiates one fine when I run ldapsearch.  Thoughts of things to look at?  nsswitch is set "passwd files ldap" and as mentioned works fine when I comment out TLS-related settings in ldap.conf and slapd.conf.
> 
>My client ldap.conf contains (relevant to TLS):
> 
>ssl start_tls
>TLS_CACERT /tmp/demoCA/cacert.pem
>TLS_REQCERT demand
> 
>My server slapd.conf contains:
> 
>TLSCipherSuite HIGH:MEDIUM:+SSLv2
>TLSCACertificateFile /usr/local/var/myCA/demoCA/cacert.pem
>TLSCertificateFile /usr/local/var/openldap-data/servercrt.pem
>TLSCertificateKey /usr/local/var/openldap-data/serverkey.pem
># will want to do this eventually but first things first
>TLSVerifyClient never
> 
>Any ideas much appreciated.
> 
>Thanks,
>Fran