'Re: [pamldap] pam_ldap-120 and FreeBSD 4.3'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] pam_ldap-120 and FreeBSD 4.3
From:       David Le Blanc <leblancd () cs ! caltech ! edu>
Date:       2001-07-17 18:15:45
[Download RAW message or body]

On Tue, Jul 17, 2001 at 09:56:23AM -0700, Eric Parusel wrote:
> Hello,
> 
> I've successfully compiled pam_ldap-120, but I get this error when
> I try to use the resulting pam module...
> 
> "pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown
> error"

I'm having this trouble as well, Eric.
However, I built pam_ldap-119 onto FreeBSD 4.3-RELEASE.
My LDAP server is Linux RH7.0, running OpenLDAP 2.0.7, with SASL, and SSL.

I'm thinking there's a problem with the SSL lib's (as well?)...

when I do:

[ domains/IPs masked to protect the guilty ]
	ldapsearch -d1 -H ldaps://foo.caltech.edu cn=test 

I get:

	ldap_create
	ldap_url_parse(ldaps://foo.caltech.edu)
	ldap_pvt_sasl_getmech
	ldap_search
	put_filter "(objectclass=*)"
	put_filter: simple
	put_simple_filter "objectclass=*"
	ldap_send_initial_request
	ldap_new_connection
	ldap_int_open_connection
	ldap_connect_to_host
	ldap_new_socket: 3
	ldap_prepare_socket: 3
	ldap_connect_to_host: Trying 10.1.1.3:636
	ldap_connect_timeout: fd: 3 tm: -1 async: 0
	ldap_ndelay_on: 3
	ldap_is_sock_ready: 3
	ldap_ndelay_off: 3
	ldap_int_sasl_open: foo.caltech.edu
	TLS trace: SSL_connect:before/connect initialization
	TLS trace: SSL_connect:SSLv2/v3 write client hello A
	TLS trace: SSL_connect:SSLv3 read server hello A
	TLS certificate verification: depth: 0, subject: \
/C=US/ST=California/O=Caltech/OU=CS/CN=foo.caltech.edu/Email=root@cs.caltech.edu, \
issuer: /C=US/ST=California/O=Caltech/OU=CS/Email=root@cs.caltech.edu  TLS trace: \
SSL_connect:SSLv3 read server certificate A  TLS trace: SSL_connect:SSLv3 read server \
done A  TLS trace: SSL_connect:SSLv3 write client key exchange A
	TLS trace: SSL_connect:SSLv3 write change cipher spec A
	TLS trace: SSL_connect:SSLv3 write finished A
	TLS trace: SSL_connect:SSLv3 flush data
	TLS trace: SSL_connect:SSLv3 read finished A
	Segmentation fault (core dumped)

...but when I use "-ZZ" on the command line of ldapsearch;
i.e., "ldapsearch -ZZ cn=test",
There are no problems with TLS/SSL, and the command succeeds with the output of
the LDAP object.
The difference, from my understanding, is one connects to port 389, and the
other (the one that fails) connects to port 636....

Further, if I comment all SSL/TLS options out of the ldap.conf for pam_ldap,
AND include a "ldap://" URI in /etc/openldap/ldap.conf, while disabling any
"ldaps://" URIs, all works fine.
...
This leads me to believe that either the implementation of "ldaps://", 
or both "ldaps://" AND pam_ldap, are "broken" somewhere,
when it comes to encrypting the queries/responses....

If you have different results, I'd like to hear from you.

> *********
> 
> What could my problem be???   Could it be what I pointed out above?
> 
> Thanks,
> 
> Eric Parusel
> Systems Administrator
> Global Relay Communications
> 


---Dave Le Blanc
Systems Administrator
Computer Science Department
California Institute of Technology


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic