centos 6.3 TLS negotiation failure against openldap
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
centos 6.3 TLS negotiation failure against openldap
We have a mostly 5.x centos environment and we are trying to move to 6.x. The stopping point at this time is setting up 6.3 as an ldap client. I'm at my wits end a bit and don't know where to go from here. I used authconfig to set it up in the same manner as I always have with our 5.x machines. My /etc/openldap/ldap.conf file looks like this:
URI ldap://xxx.xxx.xxx.xxx/
BASE dc=our,dc=base,dc=dc
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
(with hostname and real base replaced with bogus here)
The /etc/ldap.conf file was not there, but reading through Chapter 10 authentication configuration stuff in red hat's docs I found it had been replaced by /etc/pam_ldap.conf and it looks like this:
base dc=our,dc=base,dc=dc
uri ldap://xxx.xxx.xxx.xxx/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
If I try to su - username on the 6.3 client, in the client /var/log/messages it reports:
Oct 19 09:38:41 servername nslcd[1780]: [5558ec] ldap_start_tls_s() failed: Connect error (uri="ldap://xxx.xxx.xxx.xxx/")
Oct 19 09:38:41 chaos nslcd[1780]: [5558ec] failed to bind to LDAP server ldap://xxx.xxx.xxx.xxx/: Connect error
Oct 19 09:38:41 chaos nslcd[1780]: [5558ec] no available LDAP server found
And on our open ldap server it reports:
Oct 19 09:41:06 server slapd[4031]: conn=1861 fd=50 ACCEPT from IP=xxx.xxx.xxx.xxx:50072 (IP=0.0.0.0:389)
Oct 19 09:41:06 server slapd[4031]: conn=1861 op=0 STARTTLS
Oct 19 09:41:06 server slapd[4031]: conn=1861 op=0 RESULT oid= err=0 text=
Oct 19 09:41:06 server slapd[4031]: conn=1861 fd=50 closed (TLS negotiation failure)
I have diffed the files on the 5.x and 6.x machines and they are identical.
If I do a basic ldap search using ldapsearch -x -b "dc=our,dc=base,dc=dc" it returns everything as expected. The logs on the ldap server report:
Oct 19 09:46:50 server slapd[4031]: conn=1871 fd=50 ACCEPT from IP=xxx.xxx.xxx.xxx:50076 (IP=0.0.0.0:389)
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=0 BIND dn="" method=128
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=0 RESULT tag=97 err=0 text=
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=1 SRCH base="dc=our,dc=base,dc=dc" scope=2 deref=0 filter="(objectClass=*)"
Oct 19 09:46:53 server slapd[4031]: conn=1871 op=1 SEARCH RESULT tag=101 err=0 nentries=9805 text=
Oct 19 09:46:54 server slapd[4031]: conn=1871 op=2 UNBIND
Oct 19 09:46:54 server slapd[4031]: conn=1871 fd=50 closed
Additionally I can bind as a particular username and password and it returns results. For some reason it cannot start a tls session and I've exhausted googling and reading redhat docs trying to find out why. Any help would be greatly appreciated.
From the looks of your logs you're trying to communicate through port 389. You may want to configure your ldap.conf file to "talk" on the right port. Also, make sure port 636 is open on both client and server side.
With TLS start, the clients connect on 389 initially, and then start at TLS session to 636..this is how it is suppose to work and does so fine on all clients so far but 6.x. The port is indeed open to both.
With TLS start, the clients connect on 389 initially, and then start at TLS session to 636..this is how it is suppose to work and does so fine on all clients so far but 6.x. The port is indeed open to both.
Did you use the "system-config-authentication" or "authconfig" commands? Or did you edit the files manually?
I ask because I've done it "by hand" before and I've always missed something.
Did you use the "system-config-authentication" or "authconfig" commands? Or did you edit the files manually?
I ask because I've done it "by hand" before and I've always missed something.
-C
I used authconfig. I do notice with authconfig there are more options available than with 5.x and some things checked by default (that I left) in 5.x are not checked by default in 6.x. I did check them to make them identical, though I'm wondering if that is part of the issue. The only thing I added manually is the same as with 5.x, in /etc/openldap/ldap.conf, adding the line TLS_REQCERT allow.
Ah hah! I found something! I brought up another 6.3 box with X installed, and for some reason after running authconfig on it, instead of just start nscd, it also started some service called sssd (which is not running on the other box without X installed). It did not get me any further to success, but DID give me an error in the logs I was not getting on the other one. This seems to be the culprit, but I don't have a clue what to do about it.
Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Now, another oddity though. When I do the same ldap search command on this box with the ldaps://, I get results back where on the other I do not.
So is there anyway to tell the 6.x client to trust the cert it is being given?
Well, the example shows doing such with 5 and 6, but with 5 I know TLS_REQCERT allow works as my whole environment works this way. According to the man page this is still allowed in 6. But never the less, I did copy the cert over and point to it to no avail.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.