[nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
- From: "James Hogarth" <jhogarth [at] odls.com>
- To: <nssldap [at] padl.com>
- Subject: [nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled
- Date: Wed, 16 May 2007 13:22:09 +0100
Hi,
This is rather peculiar and as my first post to this list apologise if
it is a little long. I am not sure if attachments are allowed on the
list so I will just put the plain text of the appropriate details in the
body and if any more information is needed (if anyone has *any* idea
what is going on) I can reply with more...
I am attempting to authenticate the solaris/linux boxes against AD -
authorization is by kerberos (which works) and account info is by LDAP
lookup. It is a windows 2003 R2 server using the native (not SFU) posix
attributes in the schema.
If I use an unencrypted connection both work fine - however I have
concerns about the ldap user/pass for binding passing over the network
in plain text.
If I enable tls or ssl encryption (explicitly set or via the uri
ldaps://...) then ldapsearch still works fine but if I use getent passwd
after showing the userinfo it will hang indefinitely until ^C is done -
obviously this does not help much to log in!
This is being tested on a fully up to date ubuntu feisty fawn box.
The bind password is in the ldap.secret file... note that I have used
the same ldap.conf with openldap and nss_ldap as I heard that unknown
configuration items should be skipped - as I mentioned it works fine
unencrypted.
The AD CA certificate is hashed and linked to the hash properly with
openssl and an openssl -verify returns ok.
ldapsearch query:
ldapsearch -Hldaps://<domain controller> -x -W -b "<ldap base>" -s sub
-D <bind dn> -LLL "(&(objectCategory=user)(uidnumber=*))" cn
unixHomeDirectory member uidnumber gidnumber
ldap.conf:
TLS_CACERT /etc/ssl/certs/AD_CA_CERT.pem
tls_cacertfile /etc/ssl/certs/AD_CA_CERT.pem
uri ldap://<domain controller>
ldap_version 3
base <base>
rootbinddn <bind dn>
scope sub
referrals no
nss_base_passwd <base>?sub?&(objectCategory=user)(uidnumber=*)
nss_base_shadow <base>?sub?&(objectCategory=user)(uidnumber=*)
nss_base_group <base>?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
An strace on getent passwd reveals the following (note I am only
including the end with our users redacted) - the <unfinished> is where I
have had to do ^C...
time(NULL) = 1179313831
gettimeofday({1179313831, 154974}, NULL) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16001}, ru_stime={0, 8000}, ...}) =
0
time(NULL) = 1179313831
times({tms_utime=1, tms_stime=0, tms_cutime=0, tms_cstime=0}) =
1718258974
gettimeofday({1179313831, 155129}, NULL) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16001}, ru_stime={0, 8000}, ...}) =
0
time(NULL) = 1179313831
times({tms_utime=1, tms_stime=0, tms_cutime=0, tms_cstime=0}) =
1718258974
write(4, "\27\3\1\1\5\374\212\344\2333\203\235$\306\320\303!v\322"...,
266) = 266
time(NULL) = 1179313831
select(1024, [4], [], NULL, NULL) = 1 (in [4])
read(4, "\27\3\1\7K", 5) = 5
read(4, "\24\372@\371BTk\246_\226\340\24P\214\224}\214\365\344J"...,
1867) = 1867
gettimeofday({1179313831, 156452}, NULL) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16001}, ru_stime={0, 8000}, ...}) =
0
time(NULL) = 1179313831
times({tms_utime=1, tms_stime=0, tms_cutime=0, tms_cstime=0}) =
1718258974
gettimeofday({1179313831, 156781}, NULL) = 0
getrusage(RUSAGE_SELF, {ru_utime={0, 16001}, ru_stime={0, 8000}, ...}) =
0
time(NULL) = 1179313831
times({tms_utime=1, tms_stime=0, tms_cutime=0, tms_cstime=0}) =
1718258975
time(NULL) = 1179313831
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
write(1, "<username>:*:<uid>:<gid>:<full name>"..., 62) = 62
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
time(NULL) = 1179313831
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
write(1, "<username>:*:<uid>:<gid>:<full name>"..., 64) = 64
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
time(NULL) = 1179313831
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
write(1, "<username>:*:<uid>:<gid>:<full name>"..., 68) = 68
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
time(NULL) = 1179313831
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
write(1, "<username>:*:<uid>:<gid>:<full name>"..., 55) = 55
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
time(NULL) = 1179313831
select(1024, [4], [], NULL, NULL <unfinished ...>
And there you have it - if anyone can shed any light on this I would
greatly appreciate it - I did search the archives but found nothing
specific.
regards,
James
--------------------------------------------------------
This message is for information purposes only and is not intended as an
offer, recommendation or solicitation to buy or sell, nor is it an official
confirmation of terms. No representation or warranty is made that this
information is complete or accurate. Any views or opinions expressed do not
necessarily represent those of ODL Securities Limited. This email and the
information it contains may be confidential, proprietary or legally
privileged. If you receive this message in error, please notify the sender
and delete it from your system. You must not, directly or indirectly, use,
disclose, distribute, copy or store this message or any part of it if you
are not the intended recipient. Unless otherwise stated, any pricing
information given in this email is indicative only, is subject to changes
and does not constitute an offer to deal at any price quoted.
ODL Securities Limited is authorised and regulated by the Financial Services
Authority.
--------------------------------------------------------
Sent by James Hogarth on Wed 16/May/2007 at 13:22:18
--------------------------------------------------------
- [nssldap] ldapsearch works - nss_ldap does not - but only when tls/ssl isenabled,
James Hogarth
