From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <artist@academ.org>
Message-ID: <013801c4e878$18f140c0$0200000a@artist>
From: "Artem Bokhan" <artist@academ.org>
To: <community@altlinux.ru>
Date: Thu, 23 Dec 2004 04:46:37 +0600
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-AV-Checked: ClamAV
Subject: [Comm] Updating OpenLDAP 2.0.x -> 2.1.x (master 2.2 -> 2.4)
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2004 22:46:42 -0000
Archived-At: <http://lore.altlinux.org/community/013801c4e878$18f140c0$0200000a@artist/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

Здравствуйте.

После апдейта системы с master 2.2 на 2.4 возникли проблемы с OpenLDAP при 
использовании TLS. Ранее все работало без проблем. Не работает 
аутентификация через pam_ldap и утилиты типа ldapsearch, именно при 
включенном TLS.

_______________________________________________

# ldapsearch -ZZ
ldap_start_tls: Operations error (1)
        additional info: TLS already started
_______________________________________________

/usr/sbin/slapd -d 7 -u ldap -r /var/lib/ldap -h "ldap:/// ldaps:///"

FILTER:: str2filter: "(objectclass=*)"
FILTER:: get_filter: conn 0
BER:: ber_scanf fmt (m) ber:
CONNECTION:: connection_get: socket 10
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client 
certificate A
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client 
certificate A
CONNECTION:: connection_get: socket 10
CONNECTION:: connection_read: conn 0 unable to get TLS client DN, error 49
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
OPERATION:: do_extended: conn 0
BER::
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0  ber_get_next failed, errno 11 
(Resource temporarily unavailable).
ber_scanf fmt ({m) ber:
    OPERATION:: send_ldap_extended: err=1 oid= len=0
OPERATION:: send_ldap_response:  msgid=1 tag=120 err=1
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0  ber_get_next failed, errno 0 
(Success).
CONNECTION:: connection_read: conn 0  input error -2, closing.

конфигурация сервера:

allow bind_v2
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
modulepath      /usr/lib/openldap
moduleload      back_ldbm.la
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/openldap/ssl/ldap.pem
TLSCertificateKeyFile   /etc/openldap/ssl/ldap.pem
TLSCACertificateFile    /etc/openldap/ssl/ldap.pem
TLSVerifyClient never

threads 100
idletimeout 3600
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
access to attr=userPassword
        by self write
                by anonymous auth
                by * none
access to * by * read
database        ldbm
suffix          "dc=my,dc=server"
rootdn          "cn=admin,dc=my,dc=server"
rootpw  password
directory       /var/lib/ldap/bases/my.server
loglevel 8

index objectClass,uid,uidNumber,gidNumber     eq
index cn,mail,surname,givenname               eq,subinitial

конфигурация клиента:

BASE    dc=my,dc=server
URI     ldaps://localhost
rootbinddn cn=admin,dc=my,dc=server
pam_password md5
tls on
TLS_REQCERT never



Сертификат создавался:

# pwd
/var/lib/ssl/certs
# make ldap.pem
[пропущено]
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:my.server
Email Address []:.