[nssldap] Possible bug in nss_ldap v253 using SSL ?

[Christopher Smith <csmith [at] nighthawkrad.net>]

This is happening on a new CentOS 5 machine, with the "nss_ldap-253-3" 
package.  In summary, it appears nss_ldap is both not automatically 
using the correct port when configured with 'ssl on' *AND* ignoring the 
'port' directive in /etc/ldap.conf when it is specified directly.


If I try 'getent passwd' with:
host pdc01.nighthawkrad.net
ssl on

It doesn't work.  Further, tcpdump shows the machine trying to contact 
my AD server on port 389 - LDAP w/o SSL.

(This configuration works fine with CentOS 4.4 and its 
"nss_ldap-226-17", I have several machines using it.)


If I try 'getent passwd' with:
host pdc01.nighthawkrad.net
ssl on
port 636

It still doesn't work and tcpdump also shows the machine trying to 
contact the AD server via port 389.


Finally, if 'getent passwd' with:
uri ldaps://an.ad.server/
ssl on

It works as expected (ie: I get a list of user account details). 
Tcpdump shows port 636 being used, as it should be.

--
Christopher Smith

Systems Administrator
Nighthawk Radiology Services
Level 11, Suite 1101
Grosvenor Place
225 George Street
Sydney NSW 2000
Australia

T:  612 - 8211 2300 (IP: x8163)
F:  612 - 8211 2333
M:  61  - 407 397 563
USA Toll free:  866 241 6635
E: csmith@nighthawkrad.net
I: www.nighthawkrad.net

CONFIDENTIALITY NOTICE:   This email, including any attachments, 
contains information from NightHawk Radiology Services, which may be 
confidential or privileged. The information is intended to be for the 
use of the individual or entity named above. If you are not the intended 
recipient, be aware that any disclosure, copying, distribution or use of 
the contents of this information is prohibited. If you have received 
this email in error, please notify NightHawk Radiology Services 
immediately by forwarding message to postmaster@nighthawkrad.net and 
destroy all electronic and hard copies of the communication, including 
attachments.