From owner-freebsd-questions@FreeBSD.ORG Tue Feb 10 12:56:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F356106564A for ; Tue, 10 Feb 2009 12:56:50 +0000 (UTC) (envelope-from arjun810@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.168]) by mx1.freebsd.org (Postfix) with ESMTP id 053798FC18 for ; Tue, 10 Feb 2009 12:56:49 +0000 (UTC) (envelope-from arjun810@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so2472176wfd.7 for ; Tue, 10 Feb 2009 04:56:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=oEIH617MNHN0AzeWW8gneqkQi+DnWEaNDxbqTNZv+Ts=; b=MbgztoNUi6KisSwRgZ671JzAtqps8nx02f3ox3J52/4wuBzzsclBFFHJSqtqQCk2J6 a6S7gQJUB4v6fX+l4YQEyL5uCC5tIAVDUluhvkXtvxxNGEdz5iGThuHRFE9PFRUFY00n jAeHBikQlxrVMQ9xeEhHGvwVtgZIfERKUaFWM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=s96IhKd0k1xSmHGOwiAtnMXmxIUjkjAF+17wCD1WHCwCNOjQs1sJIUFUg9IHONkPTO g1eXKf76v/7N0acPiibYwcgIgls2MNwjTI/h9w/6AFPiu9ohJzE27VB2bqIDrHHAoi8/ WV4DRZWBQ+m8/Ltk8OR1I4R95bBfHjSP0Qzrg= MIME-Version: 1.0 Received: by 10.142.155.17 with SMTP id c17mr226401wfe.223.1234269307506; Tue, 10 Feb 2009 04:35:07 -0800 (PST) Date: Tue, 10 Feb 2009 04:35:07 -0800 Message-ID: <35a7e0160902100435h273627e7g4037b8af5c7bcd80@mail.gmail.com> From: Arjun Singh To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: nss_ldap SSL/TLS problems.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2009 12:56:50 -0000 Hi, I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I installed all of the latest versions of openldap24-server, openldap24-client, nss_ldap, and pam_ldap. When I do any sort of ldapsearch or 'getent passwd' or anything, everything works perfectly. The only time I have trouble is when I'm logging in via SSH..then it gets really weird. 1.) When I log in as a user in LDAP only and give the incorrect password first and then supply the correct password, everything works fine. If the user is in wheel, I can sudo. 2.) When I log in as the same user and give only the correct password the first time, it hangs for roughly 45 seconds and then lets me in. Even though this user is in wheel, it says that the user is not in the sudoers file. Here are the log messages I get in auth.log that correspond to the events above: sshd[54031]: pam_ldap: error trying to bind as user "uid=user..(cut)..." (Invalid credentials) # This is the incorrect pw sshd[54029]: error: PAM: authentication error for user from localhost #Incorrect pw sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable # correct pw sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port 32935 ssh2 #correct pw When I enter just the right password, the first time, I get this in the log: sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port 51972 ssh2 sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server Again, when SSL/TLS are disabled, I get normal log output and none of the weird stuff above.. I turned on debugging in nss_ldap.conf and found that each time I gave only the correct password (corresponding with the 45 second hang) I found this in the debug output: ...bunch of normal looking output... ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 ldap_chkResponseList returns ld 0x801b31480 NULL ldap_int_select read1msg: ld 0x801b31480 msgid 5 all 0 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of this? ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result ld 0x801b31480 msgid 5 wait4msg ld 0x801b31480 msgid 5 (timeout 30000000 usec) wait4msg continue ld 0x801b31480 msgid 5 all 0 ** ld 0x801b31480 Connections: ** ld 0x801b31480 Outstanding Requests: Empty ld 0x801b31480 request count 0 (abandoned 0) ** ld 0x801b31480 Response Queue: Empty I get the above regardless of whether I'm using start_tls or ssl. If you have any insight, it'd be really useful. I've spent tons of time scouring lists for help and haven't found anything yet.. Thanks, -Arjun