conflicts between slapd and nsswitch (SSL not working)

Francesco Gringoli francesco.gringoli at
Tue Apr 27 07:10:49 PDT 2004

On Apr 27, 2004, at 3:19 PM, Oliver Eikemeier wrote:

> Francesco Gringoli wrote:
>> Packages: openldap2(0,1)-server, nss-ldap
>> Hi all,
>> If slapd is configured to run as a user different than root (default 
>> config)
>> and nsswitch is configured to search first in files and then in ldap 
>> and
>> the ldap server specified for nsswitch is different then this,
>> when slapd starts its SSL engine seems down:
>> although slapd binds on port 636, traffic on this
>> port is not SSL (try with openssl s_client and see
>> that no certificate is returned during the handshake,
>> really there is no handshake at all).
>> Note: slapd start normally as the user specified in slapd.conf,
>> it is possible to do search inside the ldap db,
>> nss-ldap is ok and userid and gid are those defined in the ldap db,
>> BUT
>> the SSL engine is off.
>> Note: if the ldap server specified for nsswitch is the same a time-out
>> occur, since the slapd calls getpwnam and the ldap module
>> cannot obtain anything. In this case the SSL engine is OK.
> What do you mean with `different' and `same' specified server?
> Also, some more iforemation would be useful, like
>  uname -a
>  pkg_info
>  ldd /usr/local/libexec/slapd
>  ps auxwww | grep slapd
>  cat /usr/local/etc/openldap/slapd.conf
>  cat /usr/local/etc/nss_ldap.conf

OK, let's see the configuration (first, note that the same 
configuration is ok
on linux, so the problem could be in the nss architecture of FreeBSD)

Case A: a system alone

1 nsswitch
   -configured for "files ldap"
   -ldap module fetching infos from

2 slapd
   -configured to bind both 389 and SSL on 636
   -configured to run as user "slapd"

If slapd is started it waits until the time out because it tries to get 
for the "slapd" user from the system and the system tries to fetch 
these infos
from slapd but at this time slapd is not ready for queries (this could 
lead to a deadlock
but I noticed this timeout-like behavior). After the timeout the slapd 
and the SSL engine is OK.

Case B: the FreeBSD box and another box with slapd already running

1 nsswitch
   -configured for "files ldap"
   -ldap module fetching infos from ldap://

2 slapd: the same as Case A

If slapd is started it tries to get infos for the slapd user from the 
system which
queries for infos. No infos are returned as the
user slapd is not on the ldap db of, these 
must reside on the passwd of the FreeBSD host. Then slapd on the
FreeBSD box starts, it runs as user slapd but the SSL engine is down,
although the slapd process has binded on port 636.

For the information you asked me:
uname -a:
   FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: 
Mon Feb 23 20:45:55 GMT 2004     
root at  i386

   nss_ldap-1.204_2    RFC 2307 NSS module
   openldap-client-2.1.23 Open source LDAP client implementation
   openldap-server-2.1.23 Open source LDAP server implementation
   pam_ldap-1.6.5      A pam module for authenticating with LDAP

/usr/local/libexec/slapd: => /usr/local/lib/ (0x28121000) => /usr/local/lib/ (0x28153000) => /usr/lib/ (0x28160000) => /lib/ (0x28192000) => /usr/lib/ (0x282a0000) => /usr/lib/ (0x282ad000) => /usr/local/lib/ (0x282af000) => /usr/lib/ (0x2835f000) => /usr/lib/ (0x28367000) => /lib/ (0x2838b000)

ldap  83931  0.0  0.2  7308 4408  ??  Ss   Fri07PM   0:26.80 
/usr/local/libexec/slapd -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ 
ldap:// ldaps:// -u ldap -g ldap


include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dnsdomain2.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/dhcp.schema
include         /usr/local/etc/openldap/schema/misc.schema
TLSCertificateFile /usr/local/etc/openldap/ldap.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldap.pem
pidfile         /var/run/openldap/
argsfile        /var/run/openldap/slapd.args
access to dn=".*,o=bsing,c=IT"
    by * read
database        bdb
suffix          "o=bsing,c=IT"
rootdn          "uid=root,o=bsing,c=IT"
rootpw          xxxxxxxxxxxxxxxxxxxxxxxxxxx
directory       /var/db/openldap-data
index   objectClass     eq
index   dhcpHWAddress   eq
index   dhcpClassData   eq
index associatedDomain pres,eq,sub

passwd: files ldap
group: files ldap

Best regards
> -Oliver

More information about the freebsd-ports mailing list