[devel] NSS_LDAP + TLS

Pavel Wolneykien =?iso-8859-1?q?manowar_=CE=C1_altlinux=2Eorg?=
Вт Окт 28 23:25:16 MSK 2008


  Здравствуйте, всем привет,

  Есть небольшая проблема в работе nss_ldap (nss_ldap-252-alt2).

  Обращение за данными через NSS приводит к бесконечному (с количеством
итераций больше моего терпения :) ) циклу переподключений к серверу LDAP
в том случае, если используется TLS (StartTLS) и производится попытка
проверки подлинности сертификата сервера. При этом pam_ldap работает в
такой же конфигурации абсолютно нормально.
  В логе сервера LDAP (slapd -d1) не видно ошибок (клиент подключился,
установлено TLS соединение, клиент разорвал соединение, и т.д.).
  Как я понимаю, и pam_ldap, и nss_ldap используют библиотеку libldap и
оба чувствительны к параметрам, указанным в /etc/openldap/ldap.conf.
Кроме того и pam_ldap, и nss_ldap имеют собственные конфигурационные
файлы, совместимые друг с другом (/etc/pam_ldap.conf и
/etc/nss_ldap.conf). Так вот, в том случае если в основном файле
/etc/openldap/ldap.conf указан доверяемый сертификат CA (параметр
TLS_CACERT) и разрешено производить проверку подлинности (TLS_REQCERT
allow), а в конфигурационных файлах pam_ldap.conf и nss_ldap.conf
указано 'ssl start_tls', то pam_ldap отрабатывает нормально (и
сертификат проходит проверку подлинности, а запрос через nss (например
`/usr/bin/id`) приводит к циклу переподключений.
  В данный момент я решаю эту проблему путём указания в
/etc/nss_ldap.conf параметра 'tls_checkpeer no', т.е. путём запрещения
производить проверку подлинности сертификата именно для nss_ldap. В этом
случае nss_ldap (`id`) отрабатывает нормально.

  Я пробовал указывать сертификат непосредственно в самом файле
nss_ldap.conf и прочие варианты, но похоже, что любая попытка установить
TLS соединение из nss_ldap с проверкой подлинности завершается
ошибкой.

  Хотелось бы узнать:

  1) Есть ли готовый рецепт для решения этой проблемы?
  2) Можно ли как-то (без привлечения отладчика :) ), узнать, что именно
     заставляет nss_ldap переподключаться; возможно ли как-то включить
     вывод отладочных сообщений из nss_ldap (если он там
     предусмотрен...)?

  В заключение, привожу фрагменты конфигурационных файлов и логи работы
сервера и клиента (slapd и nss_ldap (`id`)).

  Павел.

$ sudo grep '^[^#].*' /etc/openldap/ldap.conf
TLS_CACERT      /etc/openssl/cacert.pem
TLS_REQCERT     demand
URI  ldap:/// ldaps:///

$ sudo grep '^[^#].*' /etc/openldap/slapd.conf
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/ppolicy.schema
allow bind_v2
concurrency 20
gentlehup on
sizelimit -1
pidfile			/var/run/slapd.pid
argsfile		/var/run/slapd.args
replica-pidfile		/var/run/slurpd.pid
replica-argsfile	/var/run/slurpd.args
rootDSE /etc/openldap/rootdse.ldif
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/server.pem
TLSCertificateKeyFile /etc/openldap/ssl/server.pem
access to dn.exact=""
	by * read
access to dn.subtree="cn=Subschema"
	by * read
access to attrs=userPassword
	by self write
	by anonymous auth
	by * none
modulepath	/usr/lib/openldap
moduleload	back_hdb.la
moduleload	back_monitor.la
moduleload	back_null.la
moduleload	ppolicy.la
moduleload	syncprov.la
include /etc/openldap/schema/ism.schema
include /etc/openldap/slapd-hdb-spb.altlinux.org.conf

$ sudo diff -su /etc/openssl/cacert.pem /etc/openldap/ssl/cacert.pem
Files /etc/openssl/cacert.pem and /etc/openldap/ssl/cacert.pem are identical

$ sudo grep '^[^#].*' /etc/pam_ldap.conf
host 10.1.1.52 10.1.1.4
base dc=spb,dc=altlinux,dc=org
timelimit 5
bind_timelimit 5
ssl start_tls

$ sudo grep '^[^#].*' /etc/nss_ldap.conf
host 10.1.1.52 10.1.1.4
base dc=spb,dc=altlinux,dc=org
timelimit 5
bind_timelimit 5
ssl start_tls

$ sudo grep '^[^#].*' /etc/nsswitch.conf
passwd:     files ldap nisplus nis
shadow:     tcb files ldap nisplus nis
group:      files ldap nisplus nis
hosts:      files nisplus nis dns
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
bootparams: nisplus [NOTFOUND=return] files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

$ sudo tail -85 /var/log/syslog/messages  
Oct 28 22:59:15 dinkum-thinkum slapd[12419]: slapd starting 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 ACCEPT from IP=10.1.1.52:57743 (IP=0.0.0.0:389) 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=0 STARTTLS 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=0 RESULT oid= err=0 text= 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 TLS established tls_ssf=256 ssf=256 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=1 BIND dn="" method=128 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=1 RESULT tag=97 err=0 text= 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SRCH base="dc=spb,dc=altlinux,dc=org" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=-))" 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Oct 28 22:59:16 dinkum-thinkum id: nss_ldap: reconnected to LDAP server ldap://10.1.1.52 after 5 attempts
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=0 fd=12 closed (connection lost) 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 ACCEPT from IP=10.1.1.52:57745 (IP=0.0.0.0:389) 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=0 STARTTLS 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=0 RESULT oid= err=0 text= 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 TLS established tls_ssf=256 ssf=256 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 op=1 UNBIND 
Oct 28 22:59:16 dinkum-thinkum slapd[12419]: conn=1 fd=12 closed 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 ACCEPT from IP=10.1.1.52:57762 (IP=0.0.0.0:389) 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=0 STARTTLS 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=0 RESULT oid= err=0 text= 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 TLS established tls_ssf=256 ssf=256 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 op=1 UNBIND 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=2 fd=12 closed 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 ACCEPT from IP=10.1.1.52:57765 (IP=0.0.0.0:389) 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 ACCEPT from IP=10.1.1.52:57766 (IP=0.0.0.0:389) 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=0 STARTTLS 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=0 RESULT oid= err=0 text= 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=0 STARTTLS 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=0 RESULT oid= err=0 text= 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 TLS established tls_ssf=256 ssf=256 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 TLS established tls_ssf=256 ssf=256 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 op=1 UNBIND 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=3 fd=12 closed 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 op=1 UNBIND 
Oct 28 22:59:19 dinkum-thinkum slapd[12419]: conn=4 fd=15 closed 
Oct 28 22:59:22 dinkum-thinkum su[12425]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 28 22:59:22 dinkum-thinkum id: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
...

$ sed -n -e ':r /^slapd starting/bo' -e '{n; br}' -e ':o {p; n; bo}' slapd.log 
slapd starting
>>> slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 14 bytes to sd 12
do_bind: v3 anonymous bind
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 196 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=spb,dc=altlinux,dc=org>
<<< dnPrettyNormal: <dc=spb,dc=altlinux,dc=org>, <dc=spb,dc=altlinux,dc=org>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=0 op=2 dn="[anonymous]"
=> hdb_search
bdb_dn2entry("dc=spb,dc=altlinux,dc=org")
=> hdb_dn2id("dc=spb,dc=altlinux,dc=org")
<= hdb_dn2id: got id=0x1
entry_decode: ""
<= entry_decode()
search_candidates: base="dc=spb,dc=altlinux,dc=org" (0x00000001) scope=2
=> hdb_dn2idl("dc=spb,dc=altlinux,dc=org")
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 3 candidates
<= bdb_equality_candidates: id=3, first=8, last=18
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
bdb_search_candidates: id=0 first=1 last=0
hdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=1
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=1 sd=12 for close
connection_close: deferring conn=1 sd=12
connection_resched: attempting closing conn=1 sd=12
connection_close: conn=1 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=2
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=2 sd=12 for close
connection_close: deferring conn=2 sd=12
connection_resched: attempting closing conn=2 sd=12
connection_close: conn=2 sd=12
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
>>> slap_listener(ldap:///)
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=3
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=4
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=3 sd=12 for close
connection_close: deferring conn=3 sd=12
connection_resched: attempting closing conn=3 sd=12
connection_close: conn=3 sd=12
TLS trace: SSL3 alert write:warning:close notify
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=4 sd=15 for close
connection_close: deferring conn=4 sd=15
connection_resched: attempting closing conn=4 sd=15
connection_close: conn=4 sd=15
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
>>> slap_listener(ldap:///)
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=5
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=6
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=5 sd=12 for close
connection_close: deferring conn=5 sd=12
connection_resched: attempting closing conn=5 sd=12
connection_close: conn=5 sd=12
TLS trace: SSL3 alert write:warning:close notify
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=6 sd=15 for close
connection_close: deferring conn=6 sd=15
connection_resched: attempting closing conn=6 sd=15
connection_close: conn=6 sd=15
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldap:///)
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
>>> slap_listener(ldap:///)
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=7
connection_get(15): got connid=8
connection_read(15): checking for input on id=8
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN, error=49 id=8
connection_get(12): got connid=7
connection_read(12): checking for input on id=7
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=7 sd=12 for close
connection_close: deferring conn=7 sd=12
connection_get(15): got connid=8
connection_resched: attempting closing conn=7 sd=12
connection_read(15): checking for input on id=8
ber_get_next
connection_close: conn=7 sd=12
ber_get_next: tag 0x30 len 5 contents:
do_unbind
TLS trace: SSL3 alert write:warning:close notify
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_closing: readying conn=8 sd=15 for close
connection_close: deferring conn=8 sd=15
connection_resched: attempting closing conn=8 sd=15
connection_close: conn=8 sd=15
TLS trace: SSL3 alert write:warning:close notify
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 threads to terminate
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.


Подробная информация о списке рассылки Devel