[Comm] Updating OpenLDAP 2.0.x -> 2.1.x (master 2.2 -> 2.4)
Artem Bokhan
=?iso-8859-1?q?artist_=CE=C1_academ=2Eorg?=
Чт Дек 23 01:46:37 MSK 2004
Здравствуйте.
После апдейта системы с master 2.2 на 2.4 возникли проблемы с OpenLDAP при
использовании TLS. Ранее все работало без проблем. Не работает
аутентификация через pam_ldap и утилиты типа ldapsearch, именно при
включенном TLS.
_______________________________________________
# ldapsearch -ZZ
ldap_start_tls: Operations error (1)
additional info: TLS already started
_______________________________________________
/usr/sbin/slapd -d 7 -u ldap -r /var/lib/ldap -h "ldap:/// ldaps:///"
FILTER:: str2filter: "(objectclass=*)"
FILTER:: get_filter: conn 0
BER:: ber_scanf fmt (m) ber:
CONNECTION:: connection_get: socket 10
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TRANSPORT:: tls_info_cb: TLS trace: SSL_accept:error in SSLv3 read client
certificate A
CONNECTION:: connection_get: socket 10
CONNECTION:: connection_read: conn 0 unable to get TLS client DN, error 49
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
OPERATION:: do_extended: conn 0
BER::
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0 ber_get_next failed, errno 11
(Resource temporarily unavailable).
ber_scanf fmt ({m) ber:
OPERATION:: send_ldap_extended: err=1 oid= len=0
OPERATION:: send_ldap_response: msgid=1 tag=120 err=1
CONNECTION:: connection_get: socket 10
BER:: ber_get_next: enter
CONNECTION:: connection_input: conn 0 ber_get_next failed, errno 0
(Success).
CONNECTION:: connection_read: conn 0 input error -2, closing.
конфигурация сервера:
allow bind_v2
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
modulepath /usr/lib/openldap
moduleload back_ldbm.la
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/openldap/ssl/ldap.pem
TLSVerifyClient never
threads 100
idletimeout 3600
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
access to attr=userPassword
by self write
by anonymous auth
by * none
access to * by * read
database ldbm
suffix "dc=my,dc=server"
rootdn "cn=admin,dc=my,dc=server"
rootpw password
directory /var/lib/ldap/bases/my.server
loglevel 8
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
конфигурация клиента:
BASE dc=my,dc=server
URI ldaps://localhost
rootbinddn cn=admin,dc=my,dc=server
pam_password md5
tls on
TLS_REQCERT never
Сертификат создавался:
# pwd
/var/lib/ssl/certs
# make ldap.pem
[пропущено]
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:my.server
Email Address []:.
Подробная информация о списке рассылки community