misleading or incomplete error message when using starttls and certificate is expired

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Peter Maloney <peter.maloney [at] brockmann-consult.de>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: misleading or incomplete error message when using starttls and certificate is expired
Date: Thu, 28 May 2015 12:42:07 +0200

Hi,

I was having a problem with my ldap using nslcd on clients, and the
error was very misleading and unhelpful. I would like to suggest that
you improve it:

Here is what the output said:

# nslcd -d
nslcd: DEBUG: add_uri(ldap://auth.bc.local/)
nslcd: DEBUG: add_uri(ldap://auth2.bc.local/)
nslcd: DEBUG: add_uri(ldap://auth3.bc.local/)
nslcd: DEBUG:
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/auth.bc.local_cacert.pem")
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,2)
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: initgroups("nslcd",112) done
nslcd: DEBUG: setgid(112) done
nslcd: DEBUG: setuid(106) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=26233 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
myldap_search(base="dc=bc,dc=local",
filter="(&(objectClass=posixAccount)(uid=hadoop))")
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_initialize(ldap://auth.bc.local/)
nslcd: [8b4567] <group/member="hadoop"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="hadoop"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <group/member="hadoop"> ldap_start_tls_s() failed
(uri=ldap://auth.bc.local/): Connect error: (unknown error code): No
such file or directory
nslcd: [8b4567] <group/member="hadoop"> failed to bind to LDAP server
ldap://auth.bc.local/: Connect error: (unknown error code): No such file
or directory
nslcd: [8b4567] <group/member="hadoop"> DEBUG: ldap_unbind()
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_initialize(ldap://auth2.bc.local/)
nslcd: [8b4567] <group/member="hadoop"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="hadoop"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="hadoop"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <group/member="hadoop"> ldap_start_tls_s() failed
(uri=ldap://auth2.bc.local/): Connect error: (unknown error code)
nslcd: [8b4567] <group/member="hadoop"> failed to bind to LDAP server
ldap://auth2.bc.local/: Connect error: (unknown error code)


But that doesn't really say the cause of the problem. It looks like a
connection issue rather than a tls negotiation or certificate problem.
And "No such file or directory" is especially misleading. And tcpdump
shows a connection and lots of traffic. But it is simply that the
certificate expired a day ago. Replacing the certificate with a new one
solved the issue. (also there were 2 machines out of 95 that still
worked normally even though they had the same certificate, and correct
clocks ... which I can't explain [and also mysteriously 2/3 of my
ldap+replication servers also worked as clients, but they don't use nslcd])


Thanks,
Peter

-- 

--------------------------------------------
Peter Maloney
Brockmann Consult
Max-Planck-Str. 2
21502 Geesthacht
Germany
Tel: +49 4152 889 300
Fax: +49 4152 889 333
E-mail: peter.maloney@brockmann-consult.de
Internet: http://www.brockmann-consult.de
--------------------------------------------

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

misleading or incomplete error message when using starttls and certificate is expired, Peter Maloney

Re: misleading or incomplete error message when using starttls and certificate is expired, Arthur de Jong

Prev by Date: Re: [PATCH] Allow configured file paths that are longer than 63 characters
Next by Date: Re: misleading or incomplete error message when using starttls and certificate is expired
Previous by thread: Re: [PATCH] Allow configured file paths that are longer than 63 characters
Next by thread: Re: misleading or incomplete error message when using starttls and certificate is expired