conflicts between slapd and nsswitch (SSL not working)
francesco.gringoli at ing.unibs.it
Tue Apr 27 07:10:49 PDT 2004
On Apr 27, 2004, at 3:19 PM, Oliver Eikemeier wrote:
> Francesco Gringoli wrote:
>> Packages: openldap2(0,1)-server, nss-ldap
>> Hi all,
>> If slapd is configured to run as a user different than root (default
>> and nsswitch is configured to search first in files and then in ldap
>> the ldap server specified for nsswitch is different then this,
>> when slapd starts its SSL engine seems down:
>> although slapd binds on port 636, traffic on this
>> port is not SSL (try with openssl s_client and see
>> that no certificate is returned during the handshake,
>> really there is no handshake at all).
>> Note: slapd start normally as the user specified in slapd.conf,
>> it is possible to do search inside the ldap db,
>> nss-ldap is ok and userid and gid are those defined in the ldap db,
>> the SSL engine is off.
>> Note: if the ldap server specified for nsswitch is the same a time-out
>> occur, since the slapd calls getpwnam and the ldap module
>> cannot obtain anything. In this case the SSL engine is OK.
> What do you mean with `different' and `same' specified server?
> Also, some more iforemation would be useful, like
> uname -a
> ldd /usr/local/libexec/slapd
> ps auxwww | grep slapd
> cat /usr/local/etc/openldap/slapd.conf
> cat /usr/local/etc/nss_ldap.conf
OK, let's see the configuration (first, note that the same
configuration is ok
on linux, so the problem could be in the nss architecture of FreeBSD)
Case A: a system alone
-configured for "files ldap"
-ldap module fetching infos from 127.0.0.1
-configured to bind both 389 and SSL on 636
-configured to run as user "slapd"
If slapd is started it waits until the time out because it tries to get
for the "slapd" user from the system and the system tries to fetch
from slapd but at this time slapd is not ready for queries (this could
lead to a deadlock
but I noticed this timeout-like behavior). After the timeout the slapd
and the SSL engine is OK.
Case B: the FreeBSD box and another box with slapd already running
-configured for "files ldap"
-ldap module fetching infos from ldap://another.host.on.internet:389
2 slapd: the same as Case A
If slapd is started it tries to get infos for the slapd user from the
queries another.host.on.internet for infos. No infos are returned as the
user slapd is not on the ldap db of another.host.on.internet, these
must reside on the passwd of the FreeBSD host. Then slapd on the
FreeBSD box starts, it runs as user slapd but the SSL engine is down,
although the slapd process has binded on port 636.
For the information you asked me:
FreeBSD webmail4.ing.unibs.it 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0:
Mon Feb 23 20:45:55 GMT 2004
root at wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
nss_ldap-1.204_2 RFC 2307 NSS module
openldap-client-2.1.23 Open source LDAP client implementation
openldap-server-2.1.23 Open source LDAP server implementation
pam_ldap-1.6.5 A pam module for authenticating with LDAP
libldap_r.so.2 => /usr/local/lib/libldap_r.so.2 (0x28121000)
liblber.so.2 => /usr/local/lib/liblber.so.2 (0x28153000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x28160000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x28192000)
libfetch.so.3 => /usr/lib/libfetch.so.3 (0x282a0000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x282ad000)
libdb41.so.1 => /usr/local/lib/libdb41.so.1 (0x282af000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x2835f000)
libc_r.so.5 => /usr/lib/libc_r.so.5 (0x28367000)
libc.so.5 => /lib/libc.so.5 (0x2838b000)
ldap 83931 0.0 0.2 7308 4408 ?? Ss Fri07PM 0:26.80
/usr/local/libexec/slapd -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap://0.0.0.0/ ldaps://0.0.0.0/ -u ldap -g ldap
access to dn=".*,o=bsing,c=IT"
by * read
index objectClass eq
index dhcpHWAddress eq
index dhcpClassData eq
index associatedDomain pres,eq,sub
passwd: files ldap
group: files ldap
More information about the freebsd-ports