lists.arthurdejong.org
RSS feed

Re: misleading or incomplete error message when using starttls and certificate is expired

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: misleading or incomplete error message when using starttls and certificate is expired



On Thu, 2015-05-28 at 12:42 +0200, Peter Maloney wrote:
> I was having a problem with my ldap using nslcd on clients, and the
> error was very misleading and unhelpful. I would like to suggest that
> you improve it:
>
> Here is what the output said:
[...]
> nslcd: [8b4567] <group/member="hadoop"> ldap_start_tls_s() failed 
> (uri=ldap://auth.bc.local/): Connect error: (unknown error code): No such 
> file or directory
> nslcd: [8b4567] <group/member="hadoop"> failed to bind to LDAP server 
> ldap://auth.bc.local/: Connect error: (unknown error code): No such file or 
> directory
[...]
> 
> But that doesn't really say the cause of the problem. It looks like a
> connection issue rather than a tls negotiation or certificate problem.
> And "No such file or directory" is especially misleading.

It is pretty difficult to get meaningful TLS errors through the OpenLDAP
library. This also depends on the implementation of the SSL library
libldap is linked against (e.g. OpenSSL, GnuTLS or NSS).

In this case the (unknown error code) is the part that usually contains
the additional information that in some cases can contain TLS errors.
The first part (Connect error) is the LDAP error and the last bit is
probably because an attempt to open a certain file failed at some point
(perhaps some certificate file was tried to open).

If anyone that can provide patches that provide more detailed error
information I'd be happy to merge them.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/