Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Wed, 2011-05-04 at 19:04 +0200, Martin Wegner wrote:
> But unfortunately, nslcd is not able to query the server with the above
> config.
> We were able to trace this down to one option - namely tls_reqcert. If
> we set it to 'never', the querying of the LDAP server via nslcd and the
> according pam and nss modules work.
> We also tried newer versions of nslcd - 0.7.13 and 0.8.2 - but they gave
> the same results.
> A $ getent passwd fails with tls_reqcert set to demand. As soon as we
> change that option to never, LDAP querying works fine.
> 
> I pasted a log of a running nslcd v. 0.7.13 with the -d flag while it
> fails to query the LDAP server under [1].

Indeed, it seems that nslcd has some issues with connecting to the
server using SSL. Ways to further investigate this by passing more -d
options to nslcd. The only problem with that is that the OpenLDAP
libraries don't expose much debugging information from the SSL library
in use.

Another way to debug this would be to try to connect with the ldapsearch
command to see if that works correctly.

You could also try other values for tls_reqcert and increase the
validation from never, allow, try to demand and see where it fails.

As a last resort you could try to use strace to debug this (note that
you have to be careful posting the output of strace online because it
could expose the key material). It could show problems it has opening
files and connections.

I did notice that you are using ldaps:// which is considered deprecated
by the OpenLDAP people. Can you try with ldap:// and start_tls (if the
server supports it).

Thanks.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users