----- "Chuck Keagle" <[EMAIL PROTECTED]> wrote: > Quanah, > > I set loglevel to 341 in slapd.conf (trace function calls, > configuration > file processing, and stats log connections/operations/results) and > restarted slapd. > > I then set local4.* to be written to /var/log/ldap.log and restarted > syslogd. Could have just sent it a SIGHUP but used the sledge > hammer. > > When a general user does an ldapsearch: > > ldapsearch -x -b 'cn=Harvey Snarkfarkel,ou=people,dc=localdomain' > > it completes successfully without having to enter a bind password. I > think that is because I set it up to allow anyone to read. I'll work > on > being more secure later.
This isn't binding as any user, this is specifically doing an anonymous bind, while looking at the entry for cn=Harvey Snarkfarkel. If you wanted to bind as Harvey, you'd do: ldapsearch -x -D'cn=Harvey Snarkfarkel,ou=people,dc=localdomain' -b 'cn=Harvey Snarkfarkel,ou=people,dc=localdomain' -W > I then ran authconfig as follows: > > authconfig --enableldap --enableldaptls --ldapserver > denali.sdc.cs.boeing.com --ldapbasedn dc=localdomain > > One thing I had to do running authconfig was create a pem file in > /etc/openldap/cacerts. All I did there was to create a symbolic > link: > > ls -la /etc/openldap/cacerts/ > total 20 > drwxr-xr-x 2 root root 4096 Aug 21 11:06 . > drwxr-xr-x 4 root root 4096 Aug 21 15:32 .. > lrwxrwxrwx 1 root root 23 Aug 21 11:06 CA.pem -> > /usr/share/swamp/CA.pem Can the user that slapd runs as read /usr/share/swamp/CA.pem? I also suggest making an x509 hash of the CA cert. > Below are the entries added to /var/log/ldap.log when trying to ssh > to > this host as the ldap only user. What causes the ber_get_next failed > errno=11 and TLS accept error? errno 11 is just a Try Again error. > What > resource would not be available? You can ignore the resource temporarily unavailable error. > Aug 21 15:33:29 denali slapd[30178]: connection_read(12): TLS accept > error > error=-1 id=0, closing > Aug 21 15:34:29 denali slapd[30178]: connection_read(12): TLS accept > error > error=-1 id=1, closing > Aug 21 15:34:29 denali slapd[30178]: connection_closing: readying > conn=1 > sd=12 for close > Aug 21 15:34:29 denali slapd[30178]: connection_close: conn=1 sd=12 > Aug 21 15:34:29 denali slapd[30178]: conn=1 fd=12 closed > > Thanks for helping me get a clearer picture of what is happening. It > was > a big help. Now I just need to figure out how to follow the leads. > Ideas > on where to look and what to look for would be greatly appreciated. Can you use TLS from the commandline to talk to slapd? Did you setup the system ldap.conf or user's .ldaprc to point at the correct CA Cert? You can test TLS from the command line with: ldapsearch -ZZ -x The -ZZ flag forces startTLS to be successful. --Quanah --- You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
