[nssldap] Looking for support on nss_ldap issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: nssldap [at] evilbrain.com
To: nssldap [at] padl.com
Subject: [nssldap] Looking for support on nss_ldap issue
Date: Fri, 13 Nov 2009 16:18:29 -0500 (EST)

Hello,

I use nss_ldap with CentOS 5.x, and the problem that I'm seeing is thatnss_ldap doesn't handle a failure of a server to handshake after STARTTLSproperly. Assuch, it just hangs, causing an inability to authenticate with and gainaccess to the host using any user in the LDAP base.


This is the ldap.conf file that I have now:
uri                     ldap://ldaphost1 ldap://ldaphost2
base                    dc=example,dc=com
pam_filter              objectclass=posixAccount
pam_login_attribute     uid
pam_member_attribute    memberUid
pam_password            md5
ssl                     start_tls
tls_cacertdir           /etc/openldap/cacerts
tls_cacertfile          /etc/openldap/cacerts/cacert.pem
tls_reqcert             demand
bind_timelimit          5
nss_initgroups_ignoreusers root,ldap,named
bind_policy  soft

If slapd on ldaphost1 has "kill -SIGSTOP" invoked against it, a conditionthat simulates other possible conditions where the server opens a TCPconnection but then doesn't have a conversation, the client hangs.

I have modified a perl script that someone else has written to handle asimilar failure condition to handle this condition that may also directlyrelate to how LDAP over TLS works , but it is most definitely a kludgyworkaround and something that I don't want to deploy across hundreds ofservers.

The host acting as test case is using nss_ldap-253-5.el5 provided withCentOS 5.x.

I already looked this issue up and found that someone was having a similarproblem with CentOS 4.x and they resolved it by using host and portparameters instead of uri. There are two problems with that.

1. I believe that host and port are deprecated parameters, please correctme if I'm wrong.

2. I actually tried that and found that I had a similar problem wherethere was something of a conversation, but it dropped somewhere becausesshd dropped right after password entry, as if the conversation wasdisrupted somehow.


Any advice would be greatly appreciated, thanks!

[nssldap] Looking for support on nss_ldap issue, nssldap

Re: [nssldap] Looking for support on nss_ldap issue, nssldap
- Re: [nssldap] Looking for support on nss_ldap issue, Douglas E. Engert
  - Re: [nssldap] Looking for support on nss_ldap issue, nssldap
    - Re: [nssldap] Looking for support on nss_ldap issue, Douglas E. Engert

Prev by Date: Re: [nssldap] nss ldap under RHEL 5 does first connects configured ldap server and than does dns lookup and tries to connect random ldap servers
Next by Date: Re: [nssldap] Looking for support on nss_ldap issue
Previous by thread: Re: [nssldap] nss ldap under RHEL 5 does first connects configured ldap server and than does dns lookup and tries to connect random ldap servers
Next by thread: Re: [nssldap] Looking for support on nss_ldap issue