[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS



On 10/27/2011 12:05 PM, Braden McDaniel wrote:
On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:

[snip]

What is your /etc/openldap/ldap.conf?
That question led me to a bogus setting for TLS_CACERTDIR.  First, I
tried simply commenting the line out, figuring the value of
olcTLSCACertificatePath in cn=config.ldif would be used.

No, the client cannot use cn=config.ldif - that is for the server only.
The server cannot use ldap.conf - that is for the client only.

That produced
this:

         # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
         ldap_url_parse_ext(ldaps://rail)
         ldap_create
         ldap_url_parse_ext(ldaps://rail:636/??base)
         ldap_sasl_bind
         ldap_send_initial_request
         ldap_new_connection 1 1 0
         ldap_int_open_connection
         ldap_connect_to_host: TCP rail:636
         ldap_new_socket: 3
         ldap_prepare_socket: 3
         ldap_connect_to_host: Trying ::1 636
         ldap_pvt_connect: fd: 3 tm: -1 async: 0
         TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
         TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
         TLS: can't connect: TLS error -5938:Encountered end of file.
         ldap_err2string
         ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

So, instead, I set the value of TLS_CACERTDIR to match that of
olcTLSCACertificatePath.  ldap.conf now looks like this:

         #
         # LDAP Defaults
         #

         # See ldap.conf(5) for details
         # This file should be world readable but not world writable.

         #BASE	dc=example,dc=com
         #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

         #SIZELIMIT	12
         #TIMELIMIT	15
         #DEREF		never
         URI ldap://rail.endoframe.net/
         BASE dc=endoframe,dc=net
         TLS_CACERTDIR /etc/pki/nssdb

That still doesn't do the trick; but it did change the error message:

         # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
         ldap_url_parse_ext(ldaps://rail)
         ldap_create
         ldap_url_parse_ext(ldaps://rail:636/??base)
         ldap_sasl_bind
         ldap_send_initial_request
         ldap_new_connection 1 1 0
         ldap_int_open_connection
         ldap_connect_to_host: TCP rail:636
         ldap_new_socket: 3
         ldap_prepare_socket: 3
         ldap_connect_to_host: Trying ::1 636
         ldap_pvt_connect: fd: 3 tm: -1 async: 0
         TLS: using moznss security dir /etc/pki/nssdb prefix .
         TLS: error: tlsm_PR_Recv returned 0 - error 17:File exists
         TLS: error: connect - force handshake failure: errno 17 - moznss error -5938
         TLS: can't connect: TLS error -5938:Encountered end of file.
         ldap_err2string
         ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Never seen that - I have no idea why you would get an EEXIST at this point in the code. I suggest turn on debugging on the server and see what it thinks is happening.