Date: Tue, 10 Feb 2009 13:00:34 -0800 From: Chris Cowart <ccowart@rescomp.berkeley.edu> To: Arjun Singh <arjun810@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: nss_ldap SSL/TLS problems.. Message-ID: <20090210210034.GD10513@hal.rescomp.berkeley.edu> In-Reply-To: <35a7e0160902100435h273627e7g4037b8af5c7bcd80@mail.gmail.com> References: <35a7e0160902100435h273627e7g4037b8af5c7bcd80@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Km1U/tdNT/EmXiR1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Arjun Singh wrote: > I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. >=20 > I installed all of the latest versions of openldap24-server, > openldap24-client, nss_ldap, and pam_ldap. >=20 > When I do any sort of ldapsearch or 'getent passwd' or anything, everythi= ng > works perfectly. The only time I have trouble is when I'm logging in via > SSH..then it gets really weird. >=20 > 1.) When I log in as a user in LDAP only and give the incorrect password > first and then supply the correct password, everything works fine. If the > user is in wheel, I can sudo. > 2.) When I log in as the same user and give only the correct password the > first time, it hangs for roughly 45 seconds and then lets me in. Even tho= ugh > this user is in wheel, it says that the user is not in the sudoers file. >=20 > Here are the log messages I get in auth.log that correspond to the events > above: >=20 > sshd[54031]: pam_ldap: error trying to bind as user "uid=3Duser..(cut)..." > (Invalid credentials) # This is the incorrect pw > sshd[54029]: error: PAM: authentication error for user from localhost > #Incorrect pw > sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailab= le > # correct pw > sshd[54029]: Accepted keyboard-interactive/pam for user from localhost po= rt > 32935 ssh2 #correct pw >=20 > When I enter just the right password, the first time, I get this in the l= og: >=20 > sshd[54047]: Accepted keyboard-interactive/pam for user from localhost po= rt > 51972 ssh2 > sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP ser= ver >=20 > Again, when SSL/TLS are disabled, I get normal log output and none of the > weird stuff above.. >=20 > I turned on debugging in nss_ldap.conf and found that each time I gave on= ly > the correct password (corresponding with the 45 second hang) I found this= in > the debug output: >=20 > ...bunch of normal looking output... > ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 > ldap_chkResponseList returns ld 0x801b31480 NULL > ldap_int_select > read1msg: ld 0x801b31480 msgid 5 all 0 > ber_get_next > TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of > this? > ldap_free_connection 1 0 > ldap_free_connection: actually freed > ldap_err2string > ldap_result ld 0x801b31480 msgid 5 > wait4msg ld 0x801b31480 msgid 5 (timeout 30000000 usec) > wait4msg continue ld 0x801b31480 msgid 5 all 0 > ** ld 0x801b31480 Connections: > ** ld 0x801b31480 Outstanding Requests: > Empty > ld 0x801b31480 request count 0 (abandoned 0) > ** ld 0x801b31480 Response Queue: > Empty >=20 > I get the above regardless of whether I'm using start_tls or ssl. >=20 > If you have any insight, it'd be really useful. I've spent tons of time > scouring lists for help and haven't found anything yet.. I don't have any more insight into the problem other than to say we've had some similar issues in our environment. Initial password-based logins do not have groups initialized, but SSH key logins and /bin/login logins have groups initialized successfully. We were piloting nscd on some of our 7.0 boxes. It turns out that enabling nscd was a successful workaround. We have since enabled it on the rest of our 7.0 installations. Anyone out there have ideas? --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --Km1U/tdNT/EmXiR1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iQIcBAEBAwAGBQJJkeryAAoJEIGh6j3cHUNP5lMP/2OfotQYXzKZuR4n4Kky3Yoy W2gZ0wk2PEaSkDSoEhI4CK8jYg+sCj8uMuH/Sf9tHM4Mju7M7jHsnzXEJ1OASeGE KyxuAib655SBYlqHtzl6XTbM4bnHhdqQ0nchZjYkPS7KrY7JKlWhPab0GKnUL5xo 6DF+DA0vzAklOfIi+UXIvDOjONBKnl18cDyxgkfp2nT88w2R3Ph1/LvTC7nuRu2s KAbmqLz0DsvzrPLMcJ38vRQWIQutaSstXbUIWJ1zVRTc2wS/uDciCvOYDpsvJIW0 BcGTB2hOgRp9qPbuXMG2CqkDur/BquqwwtHij8us/R+ve5kC0MOHNjhZYqYhKxp3 6BEItHXK0fTy1ybCqL7N7zMB4dY1CgMKrDDKMphVHpOCIV3pIQ2PD34xOFui3gEv Hir5zAnUsdaa1Fw373WhKrzwn99nVt0ECr5DKRvU3yqJNxT+SaXLfWEFj/zvzANL WmbSv/ggJ4hfBY7CD1vuPDcIXyKzJll+S7IuEm6tilHHnw/3PbmiBQNZEdAT9eSj nc4w/1jw4uVn0yds+mPIlsUjZM6Gwt8otoXHTcQEZRMlPBW5qSngIk7+lnK/FMF5 tM1mEv+FU/A9c0XiVkihgsWnJ4JiTKjtFjucy2J9mE6LXiqlqWZHmDqEDnI/RLw/ 3r7geu8X2eDGCeSvkoPc =NFcc -----END PGP SIGNATURE----- --Km1U/tdNT/EmXiR1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090210210034.GD10513>