conflicts between slapd and nsswitch (SSL not working)
Francesco Gringoli
francesco.gringoli at ing.unibs.it
Tue Apr 27 07:10:49 PDT 2004
On Apr 27, 2004, at 3:19 PM, Oliver Eikemeier wrote:
> Francesco Gringoli wrote:
>
>> Packages: openldap2(0,1)-server, nss-ldap
>> Hi all,
>> If slapd is configured to run as a user different than root (default
>> config)
>> and nsswitch is configured to search first in files and then in ldap
>> and
>> the ldap server specified for nsswitch is different then this,
>> when slapd starts its SSL engine seems down:
>> although slapd binds on port 636, traffic on this
>> port is not SSL (try with openssl s_client and see
>> that no certificate is returned during the handshake,
>> really there is no handshake at all).
>> Note: slapd start normally as the user specified in slapd.conf,
>> it is possible to do search inside the ldap db,
>> nss-ldap is ok and userid and gid are those defined in the ldap db,
>> BUT
>> the SSL engine is off.
>> Note: if the ldap server specified for nsswitch is the same a time-out
>> occur, since the slapd calls getpwnam and the ldap module
>> cannot obtain anything. In this case the SSL engine is OK.
>
> What do you mean with `different' and `same' specified server?
>
> Also, some more iforemation would be useful, like
> uname -a
> pkg_info
> ldd /usr/local/libexec/slapd
> ps auxwww | grep slapd
> cat /usr/local/etc/openldap/slapd.conf
> cat /usr/local/etc/nss_ldap.conf
>
OK, let's see the configuration (first, note that the same
configuration is ok
on linux, so the problem could be in the nss architecture of FreeBSD)
Case A: a system alone
1 nsswitch
-configured for "files ldap"
-ldap module fetching infos from 127.0.0.1
2 slapd
-configured to bind both 389 and SSL on 636
-configured to run as user "slapd"
If slapd is started it waits until the time out because it tries to get
infos
for the "slapd" user from the system and the system tries to fetch
these infos
from slapd but at this time slapd is not ready for queries (this could
lead to a deadlock
but I noticed this timeout-like behavior). After the timeout the slapd
runs
and the SSL engine is OK.
Case B: the FreeBSD box and another box with slapd already running
1 nsswitch
-configured for "files ldap"
-ldap module fetching infos from ldap://another.host.on.internet:389
2 slapd: the same as Case A
If slapd is started it tries to get infos for the slapd user from the
system which
queries another.host.on.internet for infos. No infos are returned as the
user slapd is not on the ldap db of another.host.on.internet, these
infos
must reside on the passwd of the FreeBSD host. Then slapd on the
FreeBSD box starts, it runs as user slapd but the SSL engine is down,
although the slapd process has binded on port 636.
For the information you asked me:
uname -a:
FreeBSD webmail4.ing.unibs.it 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0:
Mon Feb 23 20:45:55 GMT 2004
root at wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
pkg_info:
nss_ldap-1.204_2 RFC 2307 NSS module
openldap-client-2.1.23 Open source LDAP client implementation
openldap-server-2.1.23 Open source LDAP server implementation
pam_ldap-1.6.5 A pam module for authenticating with LDAP
/usr/local/libexec/slapd:
libldap_r.so.2 => /usr/local/lib/libldap_r.so.2 (0x28121000)
liblber.so.2 => /usr/local/lib/liblber.so.2 (0x28153000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x28160000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x28192000)
libfetch.so.3 => /usr/lib/libfetch.so.3 (0x282a0000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x282ad000)
libdb41.so.1 => /usr/local/lib/libdb41.so.1 (0x282af000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x2835f000)
libc_r.so.5 => /usr/lib/libc_r.so.5 (0x28367000)
libc.so.5 => /lib/libc.so.5 (0x2838b000)
ldap 83931 0.0 0.2 7308 4408 ?? Ss Fri07PM 0:26.80
/usr/local/libexec/slapd -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap://0.0.0.0/ ldaps://0.0.0.0/ -u ldap -g ldap
slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/dnsdomain2.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/dhcp.schema
include /usr/local/etc/openldap/schema/misc.schema
TLSCertificateFile /usr/local/etc/openldap/ldap.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldap.pem
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to dn=".*,o=bsing,c=IT"
by * read
database bdb
suffix "o=bsing,c=IT"
rootdn "uid=root,o=bsing,c=IT"
rootpw xxxxxxxxxxxxxxxxxxxxxxxxxxx
directory /var/db/openldap-data
index objectClass eq
index dhcpHWAddress eq
index dhcpClassData eq
index associatedDomain pres,eq,sub
nsswitch.conf
passwd: files ldap
group: files ldap
Best regards
FG
> -Oliver
More information about the freebsd-ports
mailing list