LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: ssl ldap on SL-5.2 x86_64
From:	Jon Peatfield <[log in to unmask]>
Reply To:	Jon Peatfield <[log in to unmask]>
Date:	Thu, 22 Jan 2009 19:59:28 +0000
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (47 lines)

On Thu, 22 Jan 2009, Olf Epler wrote:

> Dear colleagues,
>
> since a couple of days I try to switch on the ssl connection
> for a ldap client on SL-5.2 x86_64.
> I cleaned this installation so that only x86_64 packets are
> installed and runs also yum upgrade.
> My server works without any problems with SL-4.2 i386/x86_64,
> SL-5.1 i386 and also on port 389 with SL-5.2 x86_64.
> openssl097a and openssl-0.9.8b are installed.
> As soon I change to "ldaps://<server>" in ldap.conf nothing
> happens.
> "ssl on" in ldap.conf allows "getent passwd" or ldapsearch
> but disables console logins. A further login is only possible
> as root with ssh.
> "ssl tls_start" also doesn't work.
> I've recompiled nss_ldap and also pam_ldap - no result.
> Because pam works well if I use port 389 I believe something
> other must be wrong. Can anybody help?

At least two types of problems were reported with ldap use at about the 
time that the updates for sl52 came out.

One was related to dbus not being listed as an ignoregroups option and so 
systems would hang during dbus startup.

Another was related to changes in nss_ldap which changes how the 
ldap.conf was being parsed - so previously working configs stopped - and 
most of the reported problems were with people using ssl.  That may have 
been related to the port option in the config (or might not).

Using "ldap://<server>" and "ssl tls_start" may work depending on whether 
your ldap server allows starttls.

If you include a copy of your /etc/ldap.conf (and perhaps the ldap server 
config) it may all be obvious to those who had the problems last year...

-- 
/--------------------------------------------------------------------\
| "Computers are different from telephones.  Computers do not ring." |
|       -- A. Tanenbaum, "Computer Networks", p. 32                  |
---------------------------------------------------------------------|
| Jon Peatfield, _Computer_ Officer, DAMTP,  University of Cambridge |
| Mail:  [log in to unmask]     Web:  http://www.damtp.cam.ac.uk/ |
\--------------------------------------------------------------------/

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV