[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: Re: [SSSD-users] RHEL V6.4: nslcd need to start tls and ssl in a specific order
From: "Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)" <licause () hp ! com>
Date: 2013-08-19 14:39:46
Message-ID: 5D18EEAFC11A0D4FAA5F6902124D35C60A81A9BF () G5W2727 ! americas ! hpqcorp ! net
[Download RAW message or body]
[Attachment #2 (text/plain)]
Thanks much Harry,
I commented one of these lines and then the other and even rebooted the system just \
to clear any cache that might be hanging on to old data….and now neither line seems \
to be necessary.
Ah…the frustrations of ldap and all of its related components.
Al Licause
HP L2 UNIX Network Services
HP Customer Support Center
Hours 7am-3pm Pacific time USA
Manager: tom.cernilli@hp.com
From: sssd-users-bounces@lists.fedorahosted.org \
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Harry \
Sutton
Sent: Saturday, August 17, 2013 4:33 AM
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] RHEL V6.4: nslcd need to start tls and ssl in a specific \
order
On 08/16/2013 06:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I know this forum is about sssd, but I am working with a customer that cannot run \
sssd due to a configuration issue on their ldap servers. I didn't know where else \
to ask this question other than to raise a formal elevation which I can do if so \
requested or this is found to be a bug.
This customer has opted to use nslcd over encrypted links. In testing this \
configuration I noticed two oddities. These two lines are required in nslcd.conf \
to get the encryption started:
ssl start_tls
ssl on
I was always under the impression that if you use ssl, you shouldn't use or start TLS \
and visa versa, if TLS has been started, then don't start ssl. Am I \
misinterpreting what is being enabled with these two options.
What is even stranger, is that they are position dependent. The start_tls line must \
come before the ssl on line otherwise the encryption will not start correctly and the \
connections will fail.
To my knowledge this seems to be the only position dependent option I have run it to \
so far.
Was this intended ?
Al Licause
HP L2 UNIX Network Services
HP Customer Support Center
Hours 7am-3pm Pacific time USA
Manager: tom.cernilli@hp.com<mailto:tom.cernilli@hp.com>
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
My guess is that the position dependence you mention means that when you specify more \
than one setting for ssl in nslcd.conf (see http://linux.die.net/man/5/nslcd.conf or \
'man nslcd.conf' on your local system), only the first one is used and subsequent \
ones are ignored (contrary to other configs where only the last reference is the one \
used.)
The syntax of the nslcd.conf file allows for one of three settings to ssl: on, off, \
or start_tls, so the two lines you're using are actually two different settings. Your \
customer is using tls (as they should, since it supercedes ssl), so the correct \
setting in nslcd.conf is 'ssl start_tls'. The second line, 'ssl on' shouldn't be \
needed, and the fact that the configuration breaks when that's the first setting \
suggests that it's being ignored once start_tls is triggered.
Have you tried removing the 'ssl on' line from nslcd.conf? The customer configuration \
should work correctly without that, if it doesn't then I'm thinking that's a bug.
/Harry
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Thanks much \
Harry,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:12.0pt;color:black">I commented one of these \
lines and then the other and even rebooted the system just to clear any cache that \
might<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;color:black">be hanging on to old data….and now neither \
line seems to be necessary.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:12.0pt;color:black">Ah…the frustrations of \
ldap and all of its related components. \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><span style="color:black">Al Licause<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">HP L2 UNIX Network \
Services<o:p></o:p></span></p> <p class="MsoNormal"><span style="color:black">HP \
Customer Support Center<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:black">Hours 7am-3pm Pacific time USA<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black">Manager: \
tom.cernilli@hp.com<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> \
sssd-users-bounces@lists.fedorahosted.org \
[mailto:sssd-users-bounces@lists.fedorahosted.org] <b>On Behalf Of </b>Harry \
Sutton<br> <b>Sent:</b> Saturday, August 17, 2013 4:33 AM<br>
<b>To:</b> sssd-users@lists.fedorahosted.org<br>
<b>Subject:</b> Re: [SSSD-users] RHEL V6.4: nslcd need to start tls and ssl in a \
specific order<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 08/16/2013 06:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux \
Network Support) wrote:<o:p></o:p></p> </div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:12.0pt">I know this forum is about sssd, \
but I am working with a customer that cannot run sssd due to a</span><o:p></o:p></p> \
<p class="MsoNormal"><span style="font-size:12.0pt">configuration issue on their ldap \
servers. I didn't know where else to ask this question \
other</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size:12.0pt">than \
to raise a formal elevation which I can do if so requested or this is found to be a \
bug.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt"> </span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt">This customer has opted to use nslcd over encrypted \
links. In testing this configuration I \
noticed</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size:12.0pt">two \
oddities. These two lines are required in nslcd.conf to get the \
encryption started:</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt"> </span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt">ssl start_tls</span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt">ssl on</span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt">I was always under the impression \
that if you use ssl, you shouldn't use or start TLS and visa \
versa,</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size:12.0pt">if \
TLS has been started, then don't start ssl. Am I \
misinterpreting what is being enabled with these</span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt">two options.</span><o:p></o:p></p> \
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt">What is even stranger, is that they \
are position dependent. The start_tls line must come before \
the</span><o:p></o:p></p> <p class="MsoNormal"><span style="font-size:12.0pt">ssl on \
line otherwise the encryption will not start correctly and the connections will \
fail. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt">To my knowledge this seems to be \
the only position dependent option I have run it to so far.</span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:12.0pt">Was this intended \
?</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt"> </span><o:p></o:p></p> <p class="MsoNormal">Al \
Licause<o:p></o:p></p> <p class="MsoNormal">HP L2 UNIX Network \
Services<o:p></o:p></p> <p class="MsoNormal">HP Customer Support \
Center<o:p></o:p></p> <p class="MsoNormal">Hours 7am-3pm Pacific time \
USA<o:p></o:p></p> <p class="MsoNormal">Manager: <a \
href="mailto:tom.cernilli@hp.com">tom.cernilli@hp.com</a><o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Times New \
Roman","serif""><br> <br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>sssd-users mailing list<o:p></o:p></pre>
<pre><a href="mailto:sssd-users@lists.fedorahosted.org">sssd-users@lists.fedorahosted.org</a><o:p></o:p></pre>
<pre><a href="https://lists.fedorahosted.org/mailman/listinfo/sssd-users">https://lists.fedorahosted.org/mailman/listinfo/sssd-users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New \
Roman","serif""><br> My guess is that the position dependence you \
mention means that when you specify more than one setting for ssl in nslcd.conf (see \
<a href="http://linux.die.net/man/5/nslcd.conf">http://linux.die.net/man/5/nslcd.conf</a> \
or 'man nslcd.conf' on your local system), only the first one is used and subsequent \
ones are ignored (contrary to other configs where only the last reference is the one \
used.)<br> <br>
The syntax of the nslcd.conf file allows for one of three settings to ssl: on, off, \
or start_tls, so the two lines you're using are actually two different settings. Your \
customer is using tls (as they should, since it supercedes ssl), so the correct \
setting in nslcd.conf is 'ssl start_tls'. The second line, 'ssl on' shouldn't be \
needed, and the fact that the configuration breaks when that's the first setting \
suggests that it's being ignored once start_tls is triggered.<br> <br>
Have you tried removing the 'ssl on' line from nslcd.conf? The customer configuration
<i>should</i> work correctly without that, if it doesn't then I'm thinking that's a \
bug.<br> <br>
/Harry<o:p></o:p></span></p>
</div>
</body>
</html>
[Attachment #4 (unknown)]
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic