[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] pam_ldap-120 and FreeBSD 4.3
From: David Le Blanc <leblancd () cs ! caltech ! edu>
Date: 2001-07-17 18:15:45
[Download RAW message or body]
On Tue, Jul 17, 2001 at 09:56:23AM -0700, Eric Parusel wrote:
> Hello,
>
> I've successfully compiled pam_ldap-120, but I get this error when
> I try to use the resulting pam module...
>
> "pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown
> error"
I'm having this trouble as well, Eric.
However, I built pam_ldap-119 onto FreeBSD 4.3-RELEASE.
My LDAP server is Linux RH7.0, running OpenLDAP 2.0.7, with SASL, and SSL.
I'm thinking there's a problem with the SSL lib's (as well?)...
when I do:
[ domains/IPs masked to protect the guilty ]
ldapsearch -d1 -H ldaps://foo.caltech.edu cn=test
I get:
ldap_create
ldap_url_parse(ldaps://foo.caltech.edu)
ldap_pvt_sasl_getmech
ldap_search
put_filter "(objectclass=*)"
put_filter: simple
put_simple_filter "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.1.3:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: foo.caltech.edu
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject: \
/C=US/ST=California/O=Caltech/OU=CS/CN=foo.caltech.edu/Email=root@cs.caltech.edu, \
issuer: /C=US/ST=California/O=Caltech/OU=CS/Email=root@cs.caltech.edu TLS trace: \
SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server \
done A TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Segmentation fault (core dumped)
...but when I use "-ZZ" on the command line of ldapsearch;
i.e., "ldapsearch -ZZ cn=test",
There are no problems with TLS/SSL, and the command succeeds with the output of
the LDAP object.
The difference, from my understanding, is one connects to port 389, and the
other (the one that fails) connects to port 636....
Further, if I comment all SSL/TLS options out of the ldap.conf for pam_ldap,
AND include a "ldap://" URI in /etc/openldap/ldap.conf, while disabling any
"ldaps://" URIs, all works fine.
...
This leads me to believe that either the implementation of "ldaps://",
or both "ldaps://" AND pam_ldap, are "broken" somewhere,
when it comes to encrypting the queries/responses....
If you have different results, I'd like to hear from you.
> *********
>
> What could my problem be??? Could it be what I pointed out above?
>
> Thanks,
>
> Eric Parusel
> Systems Administrator
> Global Relay Communications
>
---Dave Le Blanc
Systems Administrator
Computer Science Department
California Institute of Technology
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic