LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: openssl breaks ldap on SL5.0?
From:	Zhi-Wei Lu <[log in to unmask]>
Reply To:	Zhi-Wei Lu <[log in to unmask]>
Date:	Thu, 22 May 2008 15:45:44 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

Jeffrey D Anderson wrote:
> On Thursday 22 May 2008 11:47:28 am Jeffrey D Anderson wrote:
>> On Thursday 22 May 2008 8:20:22 am you wrote:
>>> On Thu, May 22, 2008 at 03:28:11PM +0100, Faye Gibbins wrote:
>>>> Hi,
>>>>
>>>>  Has anything relating to how ldap uses ssl changed in the last couple
>>>> of days?
>>>>
>>>>  In the last day or so our ldap servers (that are queried though SSL
>>>> and the nss_ldap libs) have stopped working properly.
>>>>
>>>> They do part of the job then die with broken pipe signals (as seen by
>>>> running strace on for example "su").
>>>>
>>>> This has shown up on both 32 and 64 bit SL5.0 boxes.
>>> We're getting this as well since the update this mornig to
>>> nss_ldap-253-12.el5.x86_64.
>>>
>>> It looks like libnss_ldap.so.2 is now linked again SElinux.  Is that part
>>> of the problem?
>>>
>>> -jkl
>> I am getting this on SL5.0 and SL5.1.
>>
>> We use LDAP with TLS for authentication for dozens of workstations, and it
>> is totally broken at the moment.
>>
>> I've done a 'yum clean && yum update' to see if Troy's fixed packages from
>> this morning rectify the situation, but still nothing.
>>
>> The symptoms are that users cannot login.  They type their password at KDM
>> or at a text VT, the password apparently is authenticated, but the screen
>> flashes and they are returned to the login screen.
>> Also, I cannot 'su' to any users.  If I try, as root for example,
>> 'su SOMEUSER'  I am just brought back to the root bash prompt.  'whoami'
>> verifies that I am still root, not su'd to SOMEUSER.
>>
>> finger and id both successfully lookup the user information, but for some
>> reason su, login, KDM, do not successfully log people in.  I've verified
>> this on a number of different boxes.  I've also rebooted the LDAP server
>> without solving the problem.
> 
> Bad for to reply to myself, but I wanted to add that reverting to 
> nss_ldap-253-5.el5.i386.rpm cleared up the problem for me, so there is 
> definitely some kind of critical bug in the updated nss_ldap.
> 
> 
Jeffrey,

My thread is directly related to this bug, I have to change
ldaps://ldapserver in /etc/ldap.conf file to

ldap://ldapserver
ssl start_tls
tls_checkpeer yes

then, ldap query via nss_ldap is working again.

Regards,

-- 
Zhi-Wei Lu
Institute for Data Analysis and Visualization
University of California, Davis
(530) 752-0494

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV