RE: Openldap Problem

To: Chris <chris@flamengro.co.za>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Subject: RE: Openldap Problem

From: "RICHARDSON Matt (SPARQ)" <matt.richardson@sparq.com.au>

Date: Fri, 27 Jul 2012 09:09:49 +1000

Accept-language: en-US, en-AU

Acceptlanguage: en-US, en-AU

Content-language: en-US

In-reply-to: <50112224.6000206@flamengro.co.za>

Thread-index: Ac1rILZLueCJrpOSTGOq8S0Ezk7DhAAYqUkw

Thread-topic: Openldap Problem

Check the permissions on your certificates. I've had this happen a couple of times and it was due to the ldap user not being able to read the certificate on start up. If they are wrong, correct them and restart slapd.

Matt

From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Chris
Sent: Thursday, 26 July 2012 8:56 PM
To: openldap-technical@openldap.org
Subject: Openldap Problem

Hi.

I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the kernel is 2.6.32-279.2.1.el6.x86_64.
The problem I'm having is I get this error message in messages file.

"sssd[be[default]]: Could not start TLS encryption. TLS error -5938:Encountered end of file"

I started sssd with debugging set to 9. Errors I saw in sssd_default.log is:

[dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1
[get_port_status] (0x1000): Port status of port 389 for server 'ibm-01.flamengro.co.za' is 'not working'

When I add new users I cannot log in with the new names, a ldapseach shows them but getent passwd nothing.
Not all the users show up on my other machines either.

Any help will be appreciated.

My slapd.conf file looks like this.

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=flamengro,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=flamengro,dc=com"

rootpw secret

directory       /var/lib/ldap/flamengro

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

database monitoraccess to *
        by dn.exact="cn=Manager,dc=flamengro,dc=com" read
        by * none
access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
        by * none

My sssd.conf file looks like this

[sssd]
config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss, pam

domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
auth_provider = ldap
cache_credentials = True
ldap_id_use_start_tls = True
debug_level = 9
ldap_search_base = dc=flamengro,dc=com
# krb5_realm = EXAMPLE.COM
chpass_provider = ldap
id_provider = ldap
ldap_uri = ldap://ibm-01.flamengro.co.za
# krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
enumerate = True
ldap_sasl_canonicalize = true
# krb5_server = kerberos.example.com

Click here to report this email as spam.

*************************************************************************************
This email message (including any file attachments transmitted with it) is for the sole use of the intended recipient(s) and may contain confidential and legally privileged information. Any unauthorised review, use, alteration, disclosure or distribution of this email (including any attachments) by an unintended recipient is prohibited. If you have received this email in error, please notify the sender by return email and destroy all copies of the original message. Any confidential or legal professional privilege is not waived or lost by any mistaken delivery of the email. SPARQ Solutions accepts no responsibility for the content of any email which is sent by an employee which is of a personal nature.
Sender Details:
SPARQ Solutions
PO Box 15760 City East, Brisbane QLD Australia 4002
+61 7 4931 2222
SPARQ Solutions policy is to not send unsolicited electronic messages. Suspected breaches of this policy can be reported by replying to this message including the original message and the word "UNSUBSCRIBE" in the subject.
*************************************************************************************

References:

Openldap Problem
- From: Chris <chris@flamengro.co.za>