[nssldap] NSS_Ldap fails only the first time with "server is unavailable"

[Nathan March <nathan [at] gossamer-threads.com>]

Hey,

I've just finished setting up an openldap install for client machines to 
auth against using pam_ldap and nss_ldap. As soon as I enabled TLS this 
wierd problem popped up, whenever I try to login remotely the first auth 
attempt will kick me out. If i enter an incorrect password, followed by 
the correct one then I'm able to login successfully.

If i disable TLS, then it works fine. I'm using self-signed 
certificates. Anyone have any ideas?

I'm also using the LPK openssh patches to allow for public keys to be 
stored in the ldap directory, this works fine on the first attempt.

Thanks,
Nathan

Trying to login:
nathan-desktop ~ $ ssh nmarch@test64
Password:  <correct password here>
Connection to test64 closed.
nathan-desktop ~ $ ssh nmarch@test64
Password:  <incorrect password>
Password:  <correct password>
TLS certificate verification: Error, self signed certificate
TLS: unable to get peer certificate.
Last login: Wed Jul  9 16:35:20 2008 from office
test64 root #

From the logs for single failed attempt:
2008-07-10T09:08:14.648288-07:00 test64 sshd(pam_unix)[19042]: 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=office  user=nmarch
2008-07-10T09:08:14.664494-07:00 test64 sshd[19038]: Accepted 
keyboard-interactive/pam for nmarch from x.x.x.x port 60585 ssh2
2008-07-10T09:08:14.674388-07:00 test64 sshd[19043]: nss_ldap: could not 
search LDAP server - Server is unavailable
2008-07-10T09:08:14.674404-07:00 test64 sshd[19043]: fatal: 
login_init_entry: Cannot find user "nmarch"
2008-07-10T09:08:14.680249-07:00 test64 sshd[19038]: 
syslogin_perform_logout: logout() returned an error

Successful (after 1 failed):
2008-07-10T09:08:26.367618-07:00 test64 sshd(pam_unix)[19049]: 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=office user=nmarch
2008-07-10T09:08:26.373739-07:00 test64 sshd[19049]: pam_ldap: error 
trying to bind as user "uid=nmarch,ou=People,dc=gossamer,dc=com" 
(Invalid credentials)
2008-07-10T09:08:28.733553-07:00 test64 sshd[19045]: error: PAM: 
Authentication failure for nmarch from office
2008-07-10T09:08:28.761175-07:00 test64 sshd[19050]: nss_ldap: could not 
search LDAP server - Server is unavailable
2008-07-10T09:08:30.224078-07:00 test64 sshd(pam_unix)[19050]: 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=office  user=nmarch
2008-07-10T09:08:30.248725-07:00 test64 sshd[19045]: Accepted 
keyboard-interactive/pam for nmarch from x.x.x.x port 60586 ssh2
2008-07-10T09:08:30.271529-07:00 test64 sshd(pam_unix)[19051]: session 
opened for user nmarch by nmarch(uid=0)

ldap client's /etc/ldap.conf:
suffix "dc=gossamer,dc=com"
binddn dc=gossamer,dc=com
bindpw <bindpw>
uri ldap://ldap/
pam_password exop
ldap_version 3
bind_policy soft
nss_reconnect_tries 3
pam_check_host_attr yes
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=gossamer,dc=com
nss_base_shadow ou=People,dc=gossamer,dc=com
nss_base_group  ou=Group,dc=gossamer,dc=com
nss_base_hosts  ou=Hosts,dc=gossamer,dc=com
scope sub
ssl on
ssl start_tls
TLS_CERT /etc/ssl/ldap.pem
TLS_KEY /etc/openldap/ldap-key.pem
TLS_REQCERT never
debug 256

ldap client's /etc/openldap/ldap.conf:
TLS_CERT /etc/ssl/ldap.pem
TLS_KEY /etc/openldap/ldap-key.pem
TLS_REQCERT allow
BASE    dc=gossamer,dc=com
URI    ldap://ldap


TLS related lines from ldap server's slapd.conf (I've tried turning off 
all ACL's with no effect):
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
TLSVerifyClient never
security ssf=1 update_ssf=112
require authc