* [devel] NSS_LDAP + TLS
@ 2008-10-28 20:25 Pavel Wolneykien
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Wolneykien @ 2008-10-28 20:25 UTC (permalink / raw)
To: Anton Gorlov; +Cc: devel, ldv
Здравствуйте, всем привет,
Есть небольшая проблема в работе nss_ldap (nss_ldap-252-alt2).
Обращение за данными через NSS приводит к бесконечному (с количеством
итераций больше моего терпения :) ) циклу переподключений к серверу LDAP
в том случае, если используется TLS (StartTLS) и производится попытка
проверки подлинности сертификата сервера. При этом pam_ldap работает в
такой же конфигурации абсолютно нормально.
В логе сервера LDAP (slapd -d1) не видно ошибок (клиент подключился,
установлено TLS соединение, клиент разорвал соединение, и т.д.).
Как я понимаю, и pam_ldap, и nss_ldap используют библиотеку libldap и
оба чувствительны к параметрам, указанным в /etc/openldap/ldap.conf.
Кроме того и pam_ldap, и nss_ldap имеют собственные конфигурационные
файлы, совместимые друг с другом (/etc/pam_ldap.conf и
/etc/nss_ldap.conf). Так вот, в том случае если в основном файле
/etc/openldap/ldap.conf указан доверяемый сертификат CA (параметр
TLS_CACERT) и разрешено производить проверку подлинности (TLS_REQCERT
allow), а в конфигурационных файлах pam_ldap.conf и nss_ldap.conf
указано 'ssl start_tls', то pam_ldap отрабатывает нормально (и
сертификат проходит проверку подлинности, а запрос через nss (например
`/usr/bin/id`) приводит к циклу переподключений.
В данный момент я решаю эту проблему путём указания в
/etc/nss_ldap.conf параметра 'tls_checkpeer no', т.е. путём запрещения
производить проверку подлинности сертификата именно для nss_ldap. В этом
случае nss_ldap (`id`) отрабатывает нормально.
Я пробовал указывать сертификат непосредственно в самом файле
nss_ldap.conf и прочие варианты, но похоже, что любая попытка установить
TLS соединение из nss_ldap с проверкой подлинности завершается
ошибкой.
Хотелось бы узнать:
1) Есть ли готовый рецепт для решения этой проблемы?
2) Можно ли как-то (без привлечения отладчика :) ), узнать, что именно
заставляет nss_ldap переподключаться; возможно ли как-то включить
вывод отладочных сообщений из nss_ldap (если он там
предусмотрен...)?
В заключение, привожу фрагменты конфигурационных файлов и логи работы
сервера и клиента (slapd и nss_ldap (`id`)).
Павел.
$ sudo grep '^[^#].*' /etc/openldap/ldap.conf
TLS_CACERT /etc/openssl/cacert.pem
TLS_REQCERT demand
URI ldap:/// ldaps:///
$ sudo grep '^[^#].*' /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
allow bind_v2
concurrency 20
gentlehup on
sizelimit -1
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
replica-pidfile /var/run/slurpd.pid
replica-argsfile /var/run/slurpd.args
rootDSE /etc/openldap/rootdse.ldif
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/server.pem
TLSCertificateKeyFile /etc/openldap/ssl/server.pem
access to dn.exact=""
by * read
access to dn.subtree="cn=Subschema"
by * read
access to attrs=userPassword
by self write
by anonymous auth
by * none
modulepath /usr/lib/openldap
moduleload back_hdb.la
moduleload back_monitor.la
moduleload back_null.la
moduleload ppolicy.la
moduleload syncprov.la
include /etc/openldap/schema/ism.schema
include /etc/openldap/slapd-hdb-spb.altlinux.org.conf
$ sudo diff -su /etc/openssl/cacert.pem /etc/openldap/ssl/cacert.pem
Files /etc/openssl/cacert.pem and /etc/openldap/ssl/cacert.pem are identical
$ sudo grep '^[^#].*' /etc/pam_ldap.conf
host 10.1.1.52 10.1.1.4
base dc=spb,dc=altlinux,dc=org
timelimit 5
bind_timelimit 5
ssl start_tls
$ sudo grep '^[^#].*' /etc/nss_ldap.conf
host 10.1.1.52 10.1.1.4
base dc=spb,dc=altlinux,dc=org
timelimit 5
bind_timelimit 5
ssl start_tls
$ sudo grep '^[^#].*' /etc/nsswitch.conf
passwd: files ldap nisplus nis
shadow: tcb files ldap nisplus nis
group: files ldap nisplus nis
hosts: files nisplus nis dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
bootparams: nisplus [NOTFOUND=return] files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
$ sudo tail -85 /var/log/syslog/messages
Oct 28 22:59:15 dinkum-thinkum slapd[12419]: slapd starting
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 ACCEPT from IP=10.1.1.52:57743 (IP=0.0.0.0:389)
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=0 STARTTLS
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=0 RESULT oid= err=0 text=
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 TLS established tls_ssf=256 ssf=256
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=1 BIND dn="" method=128
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=1 RESULT tag=97 err=0 text=
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SRCH base="dc=spb,dc=altlinux,dc=org" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=-))"
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Oct 28 22:59:16 dinkum-thinkum id: nss_ldap: reconnected to LDAP server ldap://10.1.1.52 after 5 attempts
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 closed (connection lost)
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 ACCEPT from IP=10.1.1.52:57745 (IP=0.0.0.0:389)
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=0 STARTTLS
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=0 RESULT oid= err=0 text=
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 TLS established tls_ssf=256 ssf=256
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=1 UNBIND
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 closed
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 ACCEPT from IP=10.1.1.52:57762 (IP=0.0.0.0:389)
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=0 STARTTLS
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=0 RESULT oid= err=0 text=
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 TLS established tls_ssf=256 ssf=256
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=1 UNBIND
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 closed
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 ACCEPT from IP=10.1.1.52:57765 (IP=0.0.0.0:389)
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 ACCEPT from IP=10.1.1.52:57766 (IP=0.0.0.0:389)
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=0 STARTTLS
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=0 RESULT oid= err=0 text=
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=0 STARTTLS
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=0 RESULT oid= err=0 text=
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 TLS established tls_ssf=256 ssf=256
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 TLS established tls_ssf=256 ssf=256
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=1 UNBIND
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 closed
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=1 UNBIND
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 closed
Oct 28 22:59:22 dinkum-thinkum su[12425]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 28 22:59:22 dinkum-thinkum id: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
...
$ sed -n -e ':r /^slapd starting/bo' -e '{n; br}' -e ':o {p; n; bo}' slapd.log
slapd starting
>>> slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 14 bytes to sd 12
do_bind: v3 anonymous bind
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 196 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=spb,dc=altlinux,dc=org>
<<< dnPrettyNormal: <dc=spb,dc=altlinux,dc=org>, <dc=spb,dc=altlinux,dc=org>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=0 op=2 dn="[anonymous]"
=> hdb_search
bdb_dn2entry("dc=spb,dc=altlinux,dc=org")
=> hdb_dn2id("dc=spb,dc=altlinux,dc=org")
<= hdb_dn2id: got id=0x1
entry_decode: ""
<= entry_decode()
search_candidates: base="dc=spb,dc=altlinux,dc=org" (0x00000001) scope=2
=> hdb_dn2idl("dc=spb,dc=altlinux,dc=org")
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=8, last=18
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
bdb_search_candidates: id=0 first=1 last=0
hdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=1
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=1 sd=12 for close
connection_close: deferring conn=1 sd=12
connection_resched: attempting closing conn=1 sd=12
connection_close: conn=1 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=2
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=2 sd=12 for close
connection_close: deferring conn=2 sd=12
connection_resched: attempting closing conn=2 sd=12
connection_close: conn=2 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
>>> slap_listener(ldap:///)
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=3
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=4
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=3 sd=12 for close
connection_close: deferring conn=3 sd=12
connection_resched: attempting closing conn=3 sd=12
connection_close: conn=3 sd=12
TLS trace: SSL3 alert write:warning:close notify
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=4 sd=15 for close
connection_close: deferring conn=4 sd=15
connection_resched: attempting closing conn=4 sd=15
connection_close: conn=4 sd=15
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
>>> slap_listener(ldap:///)
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=5
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=6
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=5 sd=12 for close
connection_close: deferring conn=5 sd=12
connection_resched: attempting closing conn=5 sd=12
connection_close: conn=5 sd=12
TLS trace: SSL3 alert write:warning:close notify
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=6 sd=15 for close
connection_close: deferring conn=6 sd=15
connection_resched: attempting closing conn=6 sd=15
connection_close: conn=6 sd=15
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
>>> slap_listener(ldap:///)
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=7
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=8
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=7 sd=12 for close
connection_close: deferring conn=7 sd=12
connection_get(15): got connid=8
connection_resched: attempting closing conn=7 sd=12
connection_read(15): checking for input on id=8
ber_get_next
connection_close: conn=7 sd=12
ber_get_next: tag 0x30 len 5 contents:
do_unbind
TLS trace: SSL3 alert write:warning:close notify
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=8 sd=15 for close
connection_close: deferring conn=8 sd=15
connection_resched: attempting closing conn=8 sd=15
connection_close: conn=8 sd=15
TLS trace: SSL3 alert write:warning:close notify
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [devel] NSS_LDAP + TLS
@ 2008-10-29 11:36 ` Pavel Wolneykien
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Wolneykien @ 2008-10-29 11:36 UTC (permalink / raw)
To: Vitaly Ostanin; +Cc: devel
Vitaly Ostanin <vyt@altlinux.org> wrote:
> Что происходит, если в /etc/openldap/ldap.conf указать
> TLS_REQCERT never ?
Тоже самое, что и при указании 'tls_checkpeer no' всё работает, но
сертификаты не проверяются. Не интересно.
>
> И попробуй на всякий случай пакет nss-ldapd вместо nss_ldap.
>
Попробовал: он вообще TLS не умеет... :(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [devel] NSS_LDAP + TLS
@ 2008-10-29 21:33 ` Pavel Wolneykien
0 siblings, 0 replies; 3+ messages in thread
From: Pavel Wolneykien @ 2008-10-29 21:33 UTC (permalink / raw)
To: Vitaly Ostanin; +Cc: devel
Vitaly Ostanin <vyt@altlinux.org> wrote:
> Это говорит об ошибке либо в мане ldap.conf, либо в обработке
> TLS_REQCERT allow - при любом сертификате переподключений не должно
> быть.
Дык, в том-то и дело, что, похоже, любое обращение из nss_ldap к
функции проверки сертификата приводит к прекращению обработки запроса,
после чего происходит возврат к началу цикла... И подлинность
сертификата как таковая здесь явно не при чём. Вообще странно: все
операции с TLS в libldap зашиты в одной функции ldap_start_tls_s(): я
использовал одну её в своей библиотеке pam_ldap_level и всё прекрасно
работает. Не понимаю, что они там намудрили? Надо бы посмотреть, но
сейчас времени нет на это; если НИИТПвцам всё же понадобится проверка
подлинности, то будем делать это в рамках доработки...
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-10-29 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-10-28 20:25 [devel] NSS_LDAP + TLS Pavel Wolneykien
2008-10-29 11:36 ` Pavel Wolneykien
2008-10-29 21:33 ` Pavel Wolneykien
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git