[Comm] Updating OpenLDAP 2.0.x -> 2.1.x (master 2.2 -> 2.4)

ALT Linux Community general discussions
 help / color / mirror / Atom feed

From: "Artem Bokhan" <artist@academ.org>
To: <community@altlinux.ru>
Subject: [Comm] Updating OpenLDAP 2.0.x -> 2.1.x (master 2.2 -> 2.4)
Date: Thu, 23 Dec 2004 04:46:37 +0600
Message-ID: <013801c4e878$18f140c0$0200000a@artist> (raw)

Здравствуйте.

После апдейта системы с master 2.2 на 2.4 возникли проблемы с OpenLDAP при 
использовании TLS. Ранее все работало без проблем. Не работает 
аутентификация через pam_ldap и утилиты типа ldapsearch, именно при 
включенном TLS.

_______________________________________________

# ldapsearch -ZZ
ldap_start_tls: Operations error (1)
        additional info: TLS already started
_______________________________________________

/usr/sbin/slapd -d 7 -u ldap -r /var/lib/ldap -h "ldap:/// ldaps:///"

FILTER:: str2filter: "(objectclass=*)"
FILTER:: get_filter: conn 0
BER:: ber_scanf fmt (m) ber:
CONNECTION:: connection_get: socket 10
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client 
certificate A
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client 
certificate A
CONNECTION:: connection_get: socket 10
CONNECTION:: connection_read: conn 0 unable to get TLS client DN, error 49
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
OPERATION:: do_extended: conn 0
BER::
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0  ber_get_next failed, errno 11 
(Resource temporarily unavailable).
ber_scanf fmt ({m) ber:
    OPERATION:: send_ldap_extended: err=1 oid= len=0
OPERATION:: send_ldap_response:  msgid=1 tag=120 err=1
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0  ber_get_next failed, errno 0 
(Success).
CONNECTION:: connection_read: conn 0  input error -2, closing.

конфигурация сервера:

allow bind_v2
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
modulepath      /usr/lib/openldap
moduleload      back_ldbm.la
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/openldap/ssl/ldap.pem
TLSCertificateKeyFile   /etc/openldap/ssl/ldap.pem
TLSCACertificateFile    /etc/openldap/ssl/ldap.pem
TLSVerifyClient never

threads 100
idletimeout 3600
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
access to attr=userPassword
        by self write
                by anonymous auth
                by * none
access to * by * read
database        ldbm
suffix          "dc=my,dc=server"
rootdn          "cn=admin,dc=my,dc=server"
rootpw  password
directory       /var/lib/ldap/bases/my.server
loglevel 8

index objectClass,uid,uidNumber,gidNumber     eq
index cn,mail,surname,givenname               eq,subinitial

конфигурация клиента:

BASE    dc=my,dc=server
URI     ldaps://localhost
rootbinddn cn=admin,dc=my,dc=server
pam_password md5
tls on
TLS_REQCERT never



Сертификат создавался:

# pwd
/var/lib/ssl/certs
# make ldap.pem
[пропущено]
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:my.server
Email Address []:.

next             reply	other threads:[~2004-12-22 22:46 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-22 22:46 Artem Bokhan [this message]
2004-12-22 22:50 ` [Comm] " Michael Shigorin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='013801c4e878$18f140c0$0200000a@artist' \
    --to=artist@academ.org \
    --cc=community@altlinux.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

ALT Linux Community general discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
		mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
	public-inbox-index community

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.community


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git