LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: System hangs after latest (5/21-5/22) updates with LDAP
From:	Zhi-Wei Lu <[log in to unmask]>
Reply To:	Zhi-Wei Lu <[log in to unmask]>
Date:	Thu, 22 May 2008 15:39:28 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (72 lines)

Thanks Jan!

It appears that nss_ldap_253-12 breaks
ldaps://ldap.server mechanism on port 636, which was in my
/etc/ldap.conf file (used by nss_ldap).

After I modified /etc/ldap.conf with

ldap://ldap.server along with
ssl start_tls
tls_checkpeer yes

nss_ldap-253-12 is happy and it gets data from ldap server with TLS

On the other hand, I still kept my
/etc/openldap/ldap.conf the way it was, that is

URI ldaps://ldap.server

rather than
ldap://ldap.server
TLS_REQCERT demand

otherwise,
ldapsearch seems to happily ignore the TLS_REQCERT demand and sends/gets
data on port 389 in the clear unless your specifiy -ZZ argument.

This thread is directly related to
Faye Gibbins's "Openssl breaks ldap on SL5.0" thread!  It is nss_ldap
rather than openssl's fault.

Jan Kundrát wrote:
> Zhi-Wei Lu wrote:
>> 2.  Turn on ssl and add the nss_initgrous_ignoreusers line, the message
>> bus was fine and system rebooted, but ldap query is still not working
>> via ldaps, therefore, the latest nss_dap_253-12 breaks something.
> 
> Instead of "ldaps" (as in LDAP over SSL), we use starttls (plaintext
> connection that is converted to SSL after a while)  -- our LDAP servers
> are configured in such a way that they won't talk to you unless you
> access them over a secure channel. I've tried changing the settings to
> ldaps (and indeed the machines talked to slapd at port 636), but saw no
> difference.
> 
> Anyway, dump of configuration that *works* for me with recent nss_ldap
> on 32bit SL5 box is at http://dev.gentoo.org/~jkt/ldap/sl5/ , perhaps
> you can spot a difference against your setup.
> 
> These are the packages I use (and whose version might matter here):
> 
> openldap-clients-2.3.27-8.el5_1.3.i386
> openssl-0.9.8b-8.3.el5_0.2.i686
> compat-openldap-2.3.27_2.2.29-8.el5_1.3.i386
> nss_db-2.2-35.3.i386
> openssh-4.3p2-42.sl5.i386
> nss-3.11.7-1.3.el5.i386
> openldap-2.3.27-8.el5_1.3.i386
> pam-0.99.6.2-3.26.el5.i386
> openssh-server-4.3p2-42.sl5.i386
> nss-tools-3.11.7-1.3.el5.i386
> nss_ldap-253-12.el5.i386
> 
> Cheers,
> -jkt


-- 
Zhi-Wei Lu
Institute for Data Analysis and Visualization
University of California, Davis
(530) 752-0494

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV